Secure on-premise to cloud communication

ABSTRACT

A plurality of system nodes coupled via a dedicated private network is described herein. The nodes offer an end-to-end solution for protecting against network-based attacks. The nodes can include network gateways that allow remote systems, such as servers located at an entity&#39;s place of operation or a data center accessible by the entity, to securely transmit data between the nodes and the remote systems. For example, the network gateways can transmit split data into different portions, and transmit each portion over a different path through a public network to mitigate the effects of man-in-the-middle attacks. Once data reaches a node, transmission of the data from one node to another can pass through multiple intermediary nodes via the dedicated private network. The nodes and/or remote systems may also include cross-domain guard devices that control whether data can pass from one security domain to another.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/439,502, entitled “SECURE ON-PREMISE TO CLOUD COMMUNICATION” andfiled Jun. 12, 2019, which claims priority under 35 U.S.C. § 119(e) toU.S. Provisional Patent Application No. 62/685,772, entitled “SECUREON-PREMISE TO CLOUD COMMUNICATION” and filed on Jun. 15, 2018, each ofwhich is hereby incorporated by reference herein its entirety.

BACKGROUND

Many electronic devices operated by users have access to or can beaccessed via a network. For example, a user can use one electronicdevice (e.g., a computer) to access another electronic device (e.g., aset-top box) via a network. Typically, usernames and passwords are usedto restrict access to network-accessible electronic devices. Forexample, the data associated with an electronic device may only beaccessed if a user provides the correct username and password.

However, usernames and passwords offer little protection againstnetwork-based attacks. Users often select simple or common passwordsthat are easily deciphered by an unauthorized user. Once deciphered, theunauthorized user may have access to sensitive data and can causephysical, emotional, and/or monetary harm.

SUMMARY

One aspect of the disclosure provides a system for securelycommunicating data. The system comprises a computing system comprisingone or more computing devices, the computing system configured tooperate as a cross-domain guard, the computing system located in a datacenter that has an internal network with a first security domain, thecomputing system configured with computer-executable instructions that,when executed, cause the computing system to: determine that a firstdata packet can be transmitted from the first security domain to asecond security domain based on an analysis of content of the first datapacket; and prevent transmission of a second data packet from the firstsecurity domain to the second security domain based on an analysis ofcontent of the second data packet. The system further comprises a sourcenetwork gateway in communication with the computing system and locatedin the data center, the source network gateway comprising a hardwareprocessor, the source network gateway configured with secondcomputer-executable instructions that, when executed, cause the sourcenetwork gateway to obtain and split the first data packet into a thirddata packet and a fourth data packet that is not a duplicate of thethird data packet. The system further comprises a remote system locatedat a location remote from the data center, the remote system having asecond internal network with the second security domain, the remotesystem further comprising a remote network gateway, where the remotenetwork gateway is configured with third computer-executableinstructions that, when executed, cause the remote network gateway to:obtain the third data packet from the source network gateway via a firstpath through the network; obtain the fourth data packet from the sourcenetwork gateway via a second path through the network; and assemble thethird data packet and the fourth data packet to form a reassembledversion of the first data packet.

The system of the preceding paragraph can include any sub-combination ofthe following features: where the system further comprises a redundantremote system in communication with the remote system via a privatenetwork, the redundant remote system configured to obtain thereassembled version of the first data packet from the remote system viathe private network; where the system further comprises a second remotesystem in communication with the remote system via a private network,where the second remote system has a third internal network with thesecond security domain, the second remote system further comprising asecond remote network gateway and a processing server, where the secondremote network gateway is configured with fourth computer-executableinstructions that, when executed, cause the second remote networkgateway to: obtain a fifth data packet from the remote network gatewayvia a third path through the private network, the fifth data packetcreated based on a split of the reassembled version of the first datapacket, obtain a sixth data packet from the remote network gateway via afourth path through the private network, the sixth data packet createdbased on the split of the reassembled version of the first data packet,assemble the fifth data packet and the sixth data packet to form asecond reassembled version of the first data packet, and transmit thesecond reassembled version of the first data packet to the processingserver; where the fourth computer-executable instructions, whenexecuted, further cause the second remote network gateway to: obtain aprocessed data packet from the processing server, split the processeddata packet into a seventh data packet and an eighth data packet,transmit the seventh data packet to the remote network gateway via afifth path through the private network, and transmit the eighth datapacket to the remote network gateway via a sixth path through theprivate network such that the remote network gateway can assemble theseventh and eighth data packets into a ninth data packet and forwardcontents of the ninth data packet to the source network gateway; wherethe third path passes through a network gateway of a third remote systemin communication with the remote system and the second remote system viathe private network, and where the fourth path passes through a networkgateway of a fourth remote system in communication with the remotesystem and the second remote system via the private network; where theremote system comprises a processing server, and where the processingserver receives the reassembled version of the first data packet fromthe remote network gateway; where the source network gateway comprisesan access point, a controller, and a processing unit; where the accesspoint is configured to authenticate a user device using at least one ofheuristics or a media access control (MAC) address of the user device;where the processing unit comprises at least one graphical processingunit (GPU), and where the processing unit is configured to process thecontent included in the first data packet using the at least one GPU;where the processing unit is configured to run remote applicationslocally in the data center such that a user device can access the remoteapplications via the access point without communicating data over apublic network; and where the processing unit is coupled to a switch inthe data center, where the controller is coupled to the processing unitand the access point, and where the controller serves as an interface toa public network.

Another aspect of the disclosure provides a computer-implemented methodfor securely communicating data. The computer-implemented methodcomprises: determining that a first data packet present in a firstsecurity domain in a data center can be transmitted from the firstsecurity domain to a second security domain based on an analysis ofcontent of the first data packet; preventing transmission of a seconddata packet from the first security domain to the second security domainbased on an analysis of content of the second data packet; splitting thefirst data packet into a third data packet and a fourth data packet thatis not a duplicate of the third data packet; transmitting the third datapacket via a source network gateway and a first path through a networkto a second network gateway remote from the data center; andtransmitting the fourth data packet via the source network gateway and asecond path through the network to the second network gateway, where thesecond network gateway is configured to assembly the third data packetand the fourth data packet to form a reassembled version of the firstdata packet.

The computer-implemented method of the preceding paragraph can includeany sub-combination of the following features: where a redundant networkgateway is in communication with the second network gateway via aprivate network, the redundant network gateway configured to obtain thereassembled version of the first data packet from the second networkgateway via the private network; where the computer-implemented methodfurther comprises, by a third network gateway in communication with thesecond network gateway via a private network: obtaining a fifth datapacket from the second network gateway via a third path through theprivate network, the fifth data packet created based on a split of thereassembled version of the first data packet, obtaining a sixth datapacket from the second network gateway via a fourth path through theprivate network, the sixth data packet created based on the split of thereassembled version of the first data packet, assembling the fifth datapacket and the sixth data packet to form a second reassembled version ofthe first data packet, and transmitting the second reassembled versionof the first data packet to a processing server; where thecomputer-implemented method further comprises, by the third networkgateway: obtaining a processed data packet from the processing server,splitting the processed data packet into a seventh data packet and aneighth data packet, transmitting the seventh data packet to the secondnetwork gateway via a fifth path through the private network, andtransmitting the eighth data packet to the second network gateway via asixth path through the private network such that the second networkgateway can assemble the seventh and eighth data packets into a ninthdata packet and forward contents of the ninth data packet to the sourcenetwork gateway; where the third path passes through a fourth networkgateway in communication with the second and third network gateways viathe private network, and where the fourth path passes through a fifthnetwork gateway in communication with the second and third networkgateways via the private network; where the source network gatewaycomprises an access point, a controller, and a processing unit; wherethe processing unit comprises at least one graphical processing unit(GPU), and where the processing unit is configured to process thecontent included in the first data packet using the at least one GPU;and where the processing unit is configured to run remote applicationslocally in the data center such that a user device can access the remoteapplications via the access point without communicating data over apublic network.

Another aspect of the disclosure provides non-transitory,computer-readable storage media comprising computer-executableinstructions, where the computer-executable instructions, when executedby a computing system in a data center, cause the computing system to:determine that a first data packet present in a first security domaincan be transmitted from the first security domain to a second securitydomain based on an analysis of content of the first data packet; preventtransmission of a second data packet from the first security domain tothe second security domain based on an analysis of content of the seconddata packet; split the first data packet into a third data packet and afourth data packet that is not a duplicate of the third data packet;transmit the third data packet via a source network gateway and a firstpath through a network to a second network gateway remote from the datacenter; and transmit the fourth data packet via the source networkgateway and a second path through the network to the second networkgateway, where the second network gateway is configured to assembly thethird data packet and the fourth data packet to form a reassembledversion of the first data packet.

BRIEF DESCRIPTION OF THE DRAWINGS

Throughout the drawings, reference numbers may be re-used to indicatecorrespondence between referenced elements. The drawings are provided toillustrate example embodiments described herein and are not intended tolimit the scope of the disclosure.

FIG. 1 illustrates a multi-node environment.

FIG. 2A-2B illustrate the components of an exemplary node in themulti-node environment of FIG. 1.

FIG. 3A illustrates an example data flow between electronic devices anda node of FIG. 1.

FIG. 3B illustrates an example data flow between electronic devices andthe components in a node of FIG. 1 via a cellular network.

FIG. 3C illustrates an example data flow between electronic devices andthe components in a node of FIG. 1 via a public network.

FIG. 4 illustrates an example data flow between an electronic device andthe components in a node of FIG. 1.

FIG. 5 illustrates a detailed block diagram of the encryption keymanagement system of a node of FIG. 1.

FIG. 6 illustrates the redundancy of the encryption key managementsystems of FIGS. 2A-2B between the nodes of FIG. 1.

FIG. 7 illustrates a process that may be implemented by a local keymanagement (LKM) system of FIG. 5 to provide an encryption key to anself-encrypting drive (SED), such as the SED of FIG. 5.

FIG. 8 illustrates an example data packet analysis through a securityinformation and event management (SIEM) system within a node.

FIG. 9 illustrates an example integrated control and data managementinterface network.

FIG. 10 illustrates a double-encryption environment between a node and auser system.

FIGS. 11A-11E are block diagrams of an “on-premise to cloud” environmentin which data managed by an entity (e.g., an individual, a company, abusiness, etc.) and stored locally at the entity's place of operation(e.g., in one or more servers located at the place of operation) and/orstored at a location accessible by the entity (e.g., in one or moreservers at a data center) can be securely transmitted to a node of FIG.1 via the public network, the cellular network, and/or the privatenetwork.

FIG. 12 is a block diagram of a second “on-premise to cloud” environmentin which data managed by an entity (e.g., an individual, a company, abusiness, etc.) and stored locally at the entity's place of operation(e.g., in one or more servers located at the place of operation) and/orstored at a location accessible by the entity (e.g., in one or moreservers at a data center) can be securely transmitted to a node of FIG.1 via the public network, the cellular network, and/or the privatenetwork.

FIG. 13 illustrates a diagram detailing the nodes of FIG. 1 each havinga network gateway (e.g., DVN) that allows each node of FIG. 1 to operateas a “deflect,” if necessary.

FIG. 14 illustrates a diagram detailing two systems having differentsecurity domain levels (where the system identified as “SCIF” has thehigher security domain level and the system 1402 identified as“Moderate” has the lower security domain level), with cross-domain guarddevices present to control the flow of data between the differentsecurity domain levels.

FIG. 15 illustrates a block diagram detailing an embodiment in whichdata can be communicated between a node of FIG. 1 and a third-partycloud system provider via a direct network backbone connection (e.g.,via channel connectivity (ON-Net)) instead of via the public networkand/or the cellular network.

FIG. 16 is a block diagram of another “on-premise to cloud” environmentin which data managed by an electronic device can be securelytransmitted through an edge system to a node of FIG. 1 via the publicnetwork, the cellular network, and/or the private network.

FIG. 17 is a block diagram of a network gateway, according to oneembodiment.

FIG. 18 illustrates a process that may be implemented by a networkgateway and/or a cross-domain guard device to transmit data over apublic network.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS Introduction

As discussed above, usernames and passwords provide little protectionagainst network-based attacks. Conventional data network systems offersolutions to secure electronic devices and/or the channel by whichelectronic devices communicate over a network from unwanted intrusions,but such solutions leave gaps that can be exploited by unauthorizedusers. Thus, a system that offers end-to-end protection againstnetwork-based attacks may be desirable. This may be especially truegiven the proliferation of network-accessible data storage systems,where valuable information is stored and accessed via a network, and/ornetwork-accessible electronic devices.

Accordingly, a multi-node environment is described herein in which aplurality of nodes coupled via a dedicated private network offer anend-to-end solution for protecting against network-based attacks. Forexample, a single node can receive and store user data via a data flowthat passes through various components of the node. The node can bedesigned such that communications internal to the node, such as thetransmission of encryption keys, are partitioned or walled off from thecomponents of the node that handle the publicly accessible data flow.The node also includes a key management subsystem to facilitate the useof encryption keys to encrypt user data.

Multi-Node Architecture Overview

FIG. 1 illustrates a multi-node environment. As shown in FIG. 1, themulti-node environment includes a plurality of nodes 110A-N thatcommunicate with each other via a dedicated private network 101. Eachnode 110A-N can be a system that includes a variety of electronicdevices and/or components, as described in greater detail below withrespect to FIGS. 2A-6. The nodes 110A-N can be configured to controluser devices, detect inconsistencies in the operation of one or moreuser devices, store user data, and/or protect stored user data fromnetwork-based attacks.

The private network 101 can be a privately accessible network of linkednetworks, possibly operated by various distinct parties, such as apersonal area network, local area network, wide area network, cablenetwork, satellite network, cellular telephone network, etc. orcombination thereof, each with access to and/or from the Internet. Theprivate network 101 can provide superior network performance throughdedicated bandwidth and low latency as compared to other publiclyavailable networks, such as the Internet. For example, the privatenetwork 101 can provide a direct connection between the various nodes110A-N in the multi-node environment, where the communication channelproviding the direct connection cannot be accessed by electronic devicesthat are configured to access a publicly available network. Becauseaccess to the private network 101 is restricted to just the nodes110A-N, the risk of a network-based intrusion of the nodes 110A-N or thedata transmitted between the nodes 110A-N is greatly diminished.

In some embodiments, as discussed below, the nodes 110A-N also haveaccess to publicly accessible networks, such as the Internet. Each node110A-N can include an access server and/or router that enforces aseparation between the publicly accessible network and the privatenetwork 101.

Each node 110A-N can be located in a different geographic location. Forexample, the node 110A can be located in a first country (e.g., theUnited States of America), the node 110B can be located in a secondcountry (e.g., the United Kingdom), and so on. Alternatively, each node110A-N may reside at a common geographic location.

In an embodiment, each node 110A-N is identical in composition andoperation. The nodes 110A-N can operate in real-time to replicate databetween or among the various nodes 110A-N to ensure that the sum ofaggregate data is present in both or all node 110A-N locations. Thisredundancy not only improves the reliability of the multi-nodeenvironment, but also enhances the threat-detecting capability of thenodes 110A-N. For example, the nodes 110A-N may independently identifyInternet Protocol (IP) addresses from which one or more attacks on therespective node 110A-N (e.g., to disable or impair the functionality ofthe respective node 110A-N) or attempted intrusions into the respectivenode 110A-N have originated. A node, such as the node 110A, may transmita routing table that includes the IP addresses that the node 110A hasidentified as a threat to one or more of the other nodes 110B-N so thatthe other nodes 110B-N can update their routing tables accordingly.Thus, by sharing routing tables between nodes 110A-N, an addressidentified as a threat at one node can be blocked by the other nodes inthe environment.

The similarity in architecture between various nodes 110A-N may enableany node 110A-N to serve as the secondary storage and/or processing sitefor any other node 110A-N. Thus, a multi-node environment that includesidentically constructed nodes 110A-N may have a built-in secondarystorage site to permit the storage and/or recovery of information. Inother words, the nodes 110A-N may be redundant. The actual pairing ofprimary and secondary storage sites may be determined by taking intoaccount a variety of factors, such as regional legal requirements,latency, and/or the like. The secondary storage site can haveinformation security safeguards equivalent to or nearly equivalent tothose of the primary site and can maintain connectivity to the primarysite. Such a multi-node environment may also include an inherentsecondary processing site to permit the resumption of system operationswhen primary processing capabilities become unavailable. The secondaryprocessing site can have information security safeguards equivalent toor nearly equivalent to those of the primary site. The redundancy of thenodes 110A-N is described in greater detail below with respect to FIGS.2A-B and 6.

In other embodiments, the nodes 110A-N are not identical in compositionand/or operation. For example, the nodes 110A-N may include additionalcomponents required by the jurisdiction in which the respective node110A-N resides to comply with one or more security standards (or may notinclude components that cannot be included in the respective node 110A-Nin order to comply with one or more security standards).

Node Composition

FIGS. 2A-2B illustrate the components of an exemplary node 110A in themulti-node environment of FIG. 1. Any of a variety of alternate nodearchitectures may alternatively be used for some or all of the nodes110A-N. Alternatively or in addition, the architecture of the node 110Acan be similar to the architecture of the nodes 110B-N and/or theoperations performed by the node 110A can also be performed by the nodes110B-N. As shown in FIGS. 2A-B, the node 110A can include a securityinformation and event management (SIEM) system 201, a switch 212 (e.g.,a CISCO CATALYST 3650 Series switch, a CISCO CATALYST 4500 Seriesswitch, etc.), an encryption key management system 205 (e.g., two HPEnterprise Secure Key Managers), one or more processing servers 206(e.g., ten HP DL380 servers), one or more monitoring servers 207 (e.g.,two HP DL380 servers), one or more storage servers 208 (e.g., an HP 3PARSTORESERV system), and one or more backup repository servers 209 (e.g.,an HP 3PAR STORESERV system). The SIEM system 201 can include a router202 (e.g., a CISCO ASR Boundary Device), an active threat detector 203(e.g., a RAYTHEON SUREVIEW Threat Detector), and a firewall 204 (e.g., aFORTINET firewall, a PALO ALTO NETWORKS 5000 Series firewall, etc.).Some or all of the components of the node 110A can reside at a commongeographic location and may be interconnected on a local area network.

The SIEM system 201 may provide boundary security. Within the SIEMsystem 201, individual intrusion detection tools can be integrated intoa system-wide intrusion detection sub-system. The router 202 caninterface with the external world and transfer data between the node110A and the external world. For example, the router 202 can transferdata between the node 110A and other nodes 110B-110N via the privatenetwork 101. As illustrated in FIG. 2A, the router 202 can also transferdata between the node 110A and electronic devices 211 via a publicnetwork 210 (e.g., a publicly accessible network of linked networks,such as the Internet) and/or a cellular network 220 (e.g., a privatenetwork operated by a cellular carrier or operator). Alternatively or inaddition, as illustrated in FIG. 2B, the router 202 can transfer databetween the node 110A and a server 230 via a network 240 (e.g., a publicand/or private network similar to the public network 210, the cellularnetwork 220, and/or the private network 101). The server 230 can be acomputing system that manages one or more of the electronic devices 211and that communicates with the electronic devices 211 via the publicnetwork 210 and/or the cellular network 220. Alternatively or inaddition, the server 230 can communicate with the electronic devices 211via a private network, such as a local area network (not shown). Thenode 110A can communicate with electronic devices 211 via the server230. Here, because the node 110A communicates with the server 230 viathe network 240 (which can be a private network) and the communicationchannel is encrypted and secure due to the security techniquesimplemented by the node 110A, any unauthorized users would not detectand cannot interfere with instructions transmitted by the node 110A tothe server 230. In the situation that the network 240 is a privatenetwork, unauthorized users would not even have the ability to accessthe network 240. Thus, the node 110A can communicate securely with theserver 230 without the unauthorized user having the ability to reject,prevent, and/or manipulate the communication.

The active threat detector 203 can monitor network activities and/ordetect abnormal events and/or abnormal patterns of activities. Theactive threat detector 203 may receive third party threat data fromexternal sources (e.g., via the public network 210) to enhance themonitoring and detection functionality. For example, the active threatdetector 203 may periodically receive updated lists or ranges ofInternet Protocol (IP) addresses that have been identified as suspiciousor from which malicious activity has originated (e.g., by malwareanalysis software). The lists may be in the form of a routing table(e.g., an internal address resolution protocol (ARP) routing table) thatthe active threat detector 203 can use to compare with the source and/ordestination address of incoming packets. The active threat detector 203can be automatically updated each time the third party threat data isreceived from external sources. Alternatively, the active threatdetector 203 can be updated once the received third party threat data isapproved for use by an administrator. In an embodiment, the nodes 110A-Ncan share such received third party threat data via the private network101. Thus, if access to the external sources is severed for one node110A-N, that node 110A-N can receive the third party threat data fromanother node 110A-N instead.

The firewall 204 can control network activities and/or work in tandemwith real-time threat detection performed by the active threat detector203. Like with the active threat detector 203, the firewall 204 can alsoreceive third party threat data from external sources (e.g., via thepublic network 210) to enhance the control of network activities. Thethird party threat data may be received from the same external sourcesas the active threat detector 203 or from different external sources.The third party threat data may be in the form of routing tables and/orlists or ranges of suspicious or malicious IP addresses and may be usedin the same manner as the active threat detector 203 as described above.The third party threat data can also be shared between the nodes 110A-Nvia the private network 101. The threat detection activities of theactive threat detector 203 and/or the firewall 204 are described ingreater detail below with respect to FIG. 8.

In an embodiment, the SIEM system 201 components 202-204 correlateinformation to provide a more robust security scheme. For example, theSIEM system 201 uses information generated by the router 202, the activethreat detector 203, and/or the firewall 204 to protect data fromunauthorized access, modification, and/or deletion. If one of the activethreat detector 203 or the firewall 204 identifies malicious activitythat originates from an IP address that otherwise was not identified inthe data received from the external sources, the active threat detector203 and/or the firewall 204 flags the IP address as a malicious address.The active threat detector 203 and/or the firewall 204 may then notifythe other nodes 110A-N (via the router 202) of this newly identified IPaddress so that the other nodes 110A-N can be prepared to block and/oranalyze a packet that originates from or is destined for the newlyidentified IP address. In this way, if one node 110A identifies athreat, the other nodes 110B-N can be automatically updated to recognizeand prepare for the same threat.

Thus, the SIEM system 201 can support both external threat detection(e.g., using third party threat data) and internal threat detection(e.g., threats identified by a node 110A-N). Both the third party threatdata and the threat data identified by a single node 110A-N can beshared with the other nodes 110A-N via the private network 101 (e.g., asrouting tables or updates to routing tables) such that the routers 202,the active threat detectors 203, and/or the firewalls 204 of each of thenodes 110A-N are configured with the same, updated threat information.

The SIEM system 201 can support a dedicated connection within themulti-node environment to maintain a separate network within themulti-node environment (e.g., as represented by the private network101). The separate network (e.g., the private network 101) can bededicated to a single user or entity to implement the particulartechnical requirements desired by the user or entity. In an embodiment,the STEM system 201 uses Border Gateway Protocol (BGP) to switch and/orroute traffic across the private network 101, the public network 210,and/or other private or public networks not shown (e.g., dedicatednetwork connections, such as tunneled connections, to an enterprisenetwork).

The one or more processing servers 206 can execute applications, virtualmachines, and/or the like that are requested by users attempting toaccess the node 110A. The one or more processing servers 206 can alsoperform analytics on user data. For example, the one or more processingservers 206 can track historical data, scheduling data, and/or the likeand provide statistical information derived from such data. The one ormore processing servers 206 can derive this information in real-time(e.g., as the data is received and processed by the node 110A) oron-demand (e.g., when requested by a user) to allow a user to reviewevents that have already occurred. Alternatively, another server (notshown) within the node 110A can track historical data, scheduling data,and/or the like and provide statistical information derived from suchdata.

The one or more monitoring servers 207 can be configured to monitor theone or more processing servers 206 to ensure that the applicationsexecuted by the one or more processing servers 206 are running properly.The one or more monitoring servers 207 can start, restart, stop, and/orpause any applications executed by the one or more processing servers206 for diagnostic purposes. The one or more monitoring servers 207 mayalso control and monitor the power, cooling, and/or other environmentalelements of the node 110A. The one or more monitoring servers 207 mayalso perform authentication monitoring to ensure that users are onlyprovided access to the node 110A after being successfully authenticated(e.g., the one or more monitoring servers 207 can include or act as alightweight directory access protocol (LDAP) server).

The one or more storage servers 208 can include one or moreself-encrypting drives (SEDs) that are each non-transitory storagemediums (e.g., magnetic disk drives, solid state memory drives, etc.)configured to encrypt and store received data using encryption keysprovided by another component (e.g., the encryption key managementsystem 205 in this case).

In some embodiments, the one or more backup repository servers 209 areconfigured to store data backups and to perform disaster recovery (e.g.,data recovery) operations. In other embodiments, the one or more backuprepository servers 209 are only configured to store data backups. Theone or more backup repository servers 209 can store backups of dataassociated with the SIEM system 201, the switch 212, the encryption keymanagement system 205, the one or more processing servers 206, the oneor more monitoring servers 207, and/or the one or more storage servers208.

In an embodiment, the one or more backup repository servers 209 of onenode, such as node 110A, stores data backups of data associated withanother node, such as node 110B. Likewise, the one or more backuprepository servers 209 of the node 110B stores data backups of dataassociated with the node 110A. Thus, the data backup stored in one nodeis a mirror of the data of another node (and allows the node with thestored data backup to act as a redundant node). A circuit, such as avirtual circuit (not shown) can monitor the status of each of the nodes110A-N. If a first node becomes inactive, the circuit notifies a secondnode that stores the data backup of the inactive first node and thesecond node temporarily operates as the first node (and the secondnode). Thus, if the node 110A becomes inactive, the one or more backuprepository servers 209 of the node 110B operate as the node 110A,providing the functionality that the node 110A normally would provide.

While the backup node operates as the inactive node, the backup node maystore data, change settings, and/or make other changes that have notbeen introduced in the inactive node. Before the inactive node becomesfully active and starts operating as normal, the backup node and theinactive node may be synched. For example, once the inactive nodebecomes active again, the circuit notifies the backup node, the backupnode updates the inactive node to include any changes that occurredsince the inactive node became inactive, and the inactive node beginsoperating under normal conditions again. Thus, if the node 110A becomesactive again, the one or more backup repository servers 209 of the node110B updates any or all components of the node 110A such that the node110A and the data in the one or more backup repository servers 209associated with the node 110A are synched, and the node 110A then beginsnormal operations (and the one or more backup repository servers 209 ofthe node 110B cease operating as the node 110A and merely provide backupservices as before).

In alternate embodiments, the one or more backup repository servers 209of a node store data backups of data associated with that same node. Ifthe node becomes inactive, the one or more backup repository servers 209of the node may operate as described above to provide services until thenode becomes active again.

In an embodiment, a node, such as the node 110A, includes components toseparate user functionality (including user interface services) fromsystem management functionality. For example, a multi-node environmentmay utilize sub-networks for publicly accessible system components andlogically separate those components from system-internal networks and/orfunctions. A node can also include components to prevent unauthorizedand/or unintended information from being transferred through sharedmulti-node environment resources. A node can include components topartition stored information into various components residing inseparate physical domains or environments. In some embodiments, inaddition to the physical separation of stored information, themulti-node environment maintains a separate execution domain for eachexecuting process running in the nodes 110A-N of the multi-nodeenvironment.

Each node 110A-N may be a single computing device or may includemultiple distinct computing devices, such as computer servers, logicallyor physically grouped together to collectively operate as a system. Thecomponents of each node 110A-N can each be implemented inapplication-specific hardware (e.g., a server computing device with oneor more ASICs) such that no software is necessary, or as a combinationof hardware and software. In addition, the modules and components ofeach node 110A-N can be combined on one server computing device orseparated individually or into groups on several server computingdevices. In some embodiments, each node 110A-N may include additional orfewer components than illustrated in FIGS. 2A-2B.

In some embodiments, the features and services provided by each node110A-N may be implemented as web services consumable via the publicnetwork 210 and/or the cellular network 220. In further embodiments,each node 110A-N is provided by one more virtual machines implemented ina hosted computing environment. The hosted computing environment mayinclude one or more rapidly provisioned and released computingresources, which computing resources may include computing, networkingand/or storage devices. A hosted computing environment may also bereferred to as a cloud computing environment.

Each electronic or user device 211 can be an Internet of Things (IoT)device. As used herein, an IoT device can be any electronic device thatcan collect and/or exchange data via a network and/or that can be sensedor controlled remotely via a network. For example, an IoT device caninclude a wide variety of computing devices, including personalcomputing devices, terminal computing devices, laptop computing devices,tablet computing devices, electronic reader devices, mobile devices(e.g., mobile phones, media players, handheld gaming devices, etc.),wearable devices with network access and program execution capabilities(e.g., “smart watches” or “smart eyewear”), wireless devices, homeautomation devices (e.g., “smart thermostats” or “smart meters”),sensors (e.g., sensors that measure physical data like voltage, current,pressure, temperature, soil acidity, heart rate, blood pressure, etc.),transportation vehicles (e.g., automobiles, train cars, airplanes,helicopters, bicycles, motorcycles, ships, etc.), robots, digital signs,automated teller machines, set-top boxes, gaming consoles, entertainmentsystems, televisions with network access and program executioncapabilities (e.g., “smart TVs”), and various other electronic devicesand appliances. Individual IoT devices may execute a browser applicationto communicate via the public network 210 and/or the cellular network220 with other computing systems, such as the node 110A or the othernodes 110B-110N, in order to transmit and/or receive data (e.g.,settings or device parameter information) and/or in order to be sensedor controlled remotely. Alternatively, an electronic device 211 can be adevice other than an IoT device (e.g., a device that does not collect orexchange data and/or that is not sensed or controlled remotely via anetwork, such as a non-network-enabled device).

As described herein, a user can access one or more nodes 110A-N via auser device (e.g., a computing device, like an electronic device 211 ora non-IoT device, that is or is not being monitored by the nodes110A-N). For example, the nodes 110A-N may be located so that they areclose (in either a geographical or networking sense) to groups of userdevices. In such a configuration, a user device may be provided accessto the node 110A-N to which it is closest and/or to the node 110A-N thatshares a geographic region with the user device, rather than all userdevices being provided access to a single node 110A-N. If the node110A-N to which a user device is closest and/or to that shares ageographic region with the user device is offline (e.g., due to anoutage, maintenance, etc.), then the user device may be provided accessto the next closest node 110A-N, the node 110A-N assigned to be a backupof the offline node, and/or the like.

FIG. 3A illustrates an example data flow between IoT devices, such aselectronic devices 311, and the node 110A. While FIG. 3A illustratesthree different ways that the node 110A can communicate with variouselectronic devices 311, this is not meant to be limiting. The node 110Acan communicate with electronic devices 311 using any combination of thedifferent ways illustrated in FIG. 3A. For example, the node 110A cancommunicate with electronic devices 311A-B via a cellular networkdedicated circuit 310 and the cellular network 220. The cellular networkdedicated circuit 310 may provide an interface between the node 110A andthe internal networking components of the cellular network 220. Thisexample is described in greater detail below with respect to FIG. 3B. Asanother example, the node 110A can communicate with electronic devices311C-D via the public network 210. This example is described in greaterdetail below with respect to FIG. 3C. As another example, the node 110Acan communicate with the electronic devices 311C-D via the network 240and the server 230.

FIG. 3B illustrates an example data flow between IoT devices, such asthe electronic devices 311A-B, and the components in node 110A via thecellular network 220. As illustrated in FIG. 3B, the router 202 canreceive communications from and transmit communications to the cellularnetwork dedicated circuit 310. The communications may be encapsulatedaccording to a cellular carrier protocol 320. In an embodiment, theelectronic devices 311A-B are capable of communicating via the cellularnetwork 220. Thus, the data transmitted between the electronic devices311A-B and the router 202 are encapsulated according to the cellularcarrier protocol 320. In addition, the router 202 may route such data tothe active threat detector 203 and the active threat detector 203 mayroute such data (e.g., after filtering none, some, or all of the data)to the firewall 204. The data transmitted between these components202-204 may still be encapsulated according to the cellular carrierprotocol 320.

In an embodiment, the firewall 204 converts the data from the cellularcarrier protocol 320 to an Internet protocol (IP) 330 or another similarnetwork-based protocol. The data may pass through another firewall 304before reaching the switch 212. The switch 212 then routes the dataencapsulated according to the IP 330 to one of the servers 206-208 orthe one or more backup repository servers 209.

Likewise, data from the one or more backup repository servers 209 or oneof the servers 206-208 can be transmitted to the switch 212 and can beencapsulated according to the IP 330. The switch 212 can forward thedata to the firewall 204. The firewall 204 can then convert the datafrom the IP 330 to the cellular carrier protocol 320 and there-encapsulated data can then be forwarded to the active threat detector203, the router 202, and the cellular network dedicated circuit 310before reaching the cellular network 220 and eventually one of theelectronic devices 311A or 311B.

FIG. 3C illustrates an example data flow between IoT devices, such asthe electronic devices 311C-D, and the components in the node 110A viathe public network 210. Unlike the example illustrated in FIG. 3B, alldata transmitted between the electronic devices 311C-D and one of theservers 206-208 or the one or more backup repository servers 209 areencapsulated according to the IP 330. While FIGS. 3B and 3C areillustrated as separate examples, this is not meant to be limiting. Thenode 110A can handle data encapsulated according to the IP 330 receivedfrom and transmitted to the public network 210, data encapsulatedaccording to the cellular carrier protocol 320 received from andtransmitted to the cellular network dedicated circuit 310, and/or dataencapsulated according to any proprietary protocol received from andtransmitted to the network 240.

End-to-End Protection

As described above, conventional data network systems may have gaps intheir security schemes. Some conventional data network systems may allowdata to be transmitted in an unsecured manner over a public network,such as the Internet, leaving open the possibility that the data can becaptured, snooped, or otherwise accessed by an unauthorized user. Someconventional data network systems may store or transmit encryption keystogether with encrypted data, allowing the encrypted data to be easilycompromised. The multi-node environment described herein seeks to closesuch security gaps.

For example, a node, such as one of the nodes 110A-N, implementssecurity protocols at an interface between the private network 101 andthe public network 210 and the internal components of the respectivenode 110A-N (e.g., the STEM system 201) to guard against externalcyberattacks. Security solutions at the network interface work in tandemwith system-internal controls to enforce information flow through secureconnections and configurations. As an example, Secure Socket Layer (SSL)encryption can be used to secure data that is transmitted betweenelectronic devices 211 and the node 110A via the public network 210. Thenode 110A can perform SSL decryption within a secure boundary (e.g., theSTEM system 201) in which the decrypted and/or clear-text data onlyexists for a finite duration of time. The node 110A can re-encrypt thedecrypted data using encryption keys securely generated by theencryption key management system 205. The node 110A can employ a robustencryption algorithm, such as AES-256, to encrypt the data as the datais stored onto a storage drive, such as a storage drive included in thestorage servers 208. In an alternative embodiment, a tunnel encryption,such as a Virtual Private Network (VPN) encryption, protects datatransmission between electronic devices 211 and the node 110A.Communications that are entirely within the node 110A can also beencrypted.

In an embodiment, the STEM system 201 is configured to perform threatdetection, real-time response, automatic event logging, and/orpost-event analysis. For example, the node 110A (e.g., the STEM system201) can detect some or all unauthorized access attempts and enforceappropriate security responses (e.g., disabling access after multipleaccess failures within a predetermined period of time). The node 110A(e.g., the SIEM system 201) can perform automatic logging of some or allsecurity-related system events, including successful and/or unsuccessfulaccount login events, account management events, object access, policychange, privilege functions, process tracking, and/or system events. Thenode 110A (e.g., the SIEM system 201) can also perform automatic loggingof some or all security-related web-application events, including someor all administrator activity, authentication checks, authorizationchecks, data deletions, data access, data changes, permission changes,remote connections to the node 110A, and/or some or all unauthorizedaccess attempts. An event monitor and analyzer within the node 110A(e.g., within the SIEM system 201) can perform post-event analysis andpermit comprehensive security auditing and process management.

The operations performed by the STEM system 201 at the network interfaceof the node 110A include monitoring and controlling communications sentand received via the various networks 101 and 210. Such operationsperformed by the STEM system 201 may work in tandem with internalsecurity techniques implemented by other components of the node 110Athat monitor and control communications at key internal boundarieswithin the node 110A. The STEM system 201 may implement a wirelessintrusion detection system to identify rogue wireless devices and todetect attack attempts and potential compromises/breaches to theinformation system.

The node 110A can enforce encryption on some or all remote accessconnections, whether initiated by a user or a system administrator. Someor all data can be encrypted. Further, in some embodiments, the node110A configures some or all secure connections to use managed entrypoints that employ boundary protection devices (e.g., SIEMs).

In an embodiment, the node 110A (e.g., the one or more monitoringservers 207) employs a multi-factor authentication scheme to preventunauthorized access. For example, the multi-factor authentication caninclude a username and password, a secure code separately transmitted toa first user device associated with a user that is attempting to accessthe node 110A via a second user device, biometrics (e.g., a fingerprint,a vein map, a behavioral signature, such as physiologicalcharacteristics of a user that describe a way the user interacts with aninput device (e.g., a keyboard, touch pad, mouse, etc.), etc.), and/orthe like. Through authentication, the node 110A can uniquely identifyand authenticate users and/or user processes with unique identifiers andenforce specific strength requirements on the identifiers. The node 110Acan also require users to be authorized with the node 110A beforeassigning accounts. In an embodiment, the node 110A may, in an emergencyor extraordinary situation, temporarily permit an individual to beauthenticated with an authenticator with a reduced number of factorscompared with normal operation. In some embodiments, multi-factor loginverification data is encrypted for confidentiality.

As described herein, the node 110A can be designed such thatcommunications internal to the node 110A are partitioned or walled offfrom publically accessible node 110A components. A multi-tierarchitecture of the node 110A (e.g., the components within the STEMsystem 201) can segment contact between application-specific information(e.g., user data) and other system information (e.g., encryption keys).For example, FIG. 4 illustrates an example data flow between anelectronic device 211 and the components in the node 110A. Asillustrated in FIG. 4, a first data path 410 includes communicationsbetween the electronic device 211 and the STEM system 201, between theSIEM system 201 and the switch 212, between the switch 212 and the oneor more processing servers 206, between the one or more processingservers 206 and the one or more monitoring servers 207, and between theone or more monitoring servers 207 and the one or more storage servers208. A second data path 420 includes communications (e.g., thetransmission of encryption keys) between the encryption key managementsystem 205 and the one or more storage servers 208. The first data path410 and the second data path 420 do not overlap and/or do not sharecommunication interfaces such that the information transmitted over onedata path cannot be accessed by components in the other data path.

Encryption Key Management (EKM) System

FIG. 5 illustrates a detailed block diagram of the encryption keymanagement system 205 of the node 110A. The encryption key managementsystem 205 includes a key management subsystem to facilitate the use ofencryption keys to encrypt user data. For example, as illustrated inFIG. 5, the encryption key management system 205 includes an enterprisekey management (EKM) system 501, a local key management (LKM) system502, and one or more self encrypting drives (SEDs) 503. While FIG. 5illustrates a single LKM system 502, this is not meant to be limiting.The EKM system 501 may be associated with a plurality of LKM systems502, and each LKM system 502 may be associated with a separate set ofSEDs 503.

In an embodiment, the multi-node environment employs cryptographicsecurity controls to protect the confidentiality and integrity oftransmitted information through the deployment of hardware and softwaresolutions. The multi-node environment can enforce cryptographicprotection throughout the environment except where the information isotherwise protected within the private network 101. For example, theinformation may otherwise be protected when a node 110A-N decrypts dataencrypted using an SSL channel encryption scheme and re-encrypts thedata using a storage drive encryption scheme or decrypts data using astorage drive encryption scheme and re-encrypts the data using an SSLchannel encryption scheme.

The encryption of data files within a node 110A-N can be performed in avariety of ways. One approach, for example, may follow standardsoutlined in NIST FIPS 140-2 documentation where all encryption keys arestored in a depository separate from a location where the encryptedfiles are stored, backed up, and/or accessed. The EKM system 501 can beconfigured to serve as the depository that generates and stores allencryption keys. The EKM system 501 can enforce encryption using theencryption keys through native hardware control. The EKM system 501 maythen communicate with other hardware components that use encryptionkeys. The LKM System 502 can manage requests from and transfers ofencryption keys to multiple storage drives (e.g., SEDs 503). Forexample, the LKM system 502 can store information that indicates whichencryption keys are being used and/or have been used by a given SED 503,how often an encryption key has been used to encrypt data, encryptionkey rotation information, and/or the like. The SEDs 503 can beconfigured to automatically encrypt data using provided encryption keysand store such encrypted data. The SEDs 503 can use embedded hardware toenforce in-line encryption and/or decryption. In some embodiments,clear-text data cannot be extracted from SEDs 503. The use of in-linehardware can minimize the delay associated with encryption and/ordecryption operations. The smaller delay, together with key generationand/or management functions included within the encryption keymanagement system 205, can render the encryption process transparent tousers (e.g., the user is unaware of the encryption keys used to encryptuser data). This transparency may increase user-friendliness and datasecurity because critical encryption keys never leave the secure domainof the node 110A.

As an example, the EKM system 501 may generate one or more encryptionkeys. A SED 503 can request an encryption key to be used for encryptingdata received from an electronic device 211 associated with a user viathe public network 210. The request from the SED 503 can be received bythe LKM system 502. The LKM system 502 can then request a new encryptionkey from the EKM system 501. The EKM system 501 can transmit theencryption key to the LKM system 502 and the LKM system 502 can forwardthe encryption key to the SED 503. The LKM system 502 can storeinformation indicating that the specific encryption key was sent to thespecific SED 503. The LKM system 502 can use this information along withan encryption key rotation policy to anticipate when a new encryptionkey may be needed for a SED 503. Once the requested encryption key isreceived by the SED 503, the SED 503 can encrypt and/or decrypt datareceived from the electronic device 211. The SED 503 may encrypt data asdata is received from the electronic device 211. Alternatively, the SED503 may encrypt data at regular intervals or at a set time.

The data backup system 504 can be configured to back up data stored inthe SEDs 503. The data backup system 504 can store backup data on theSED 503 associated with the backup (and the stored backup data can beencrypted by the SED 503 using the same encryption key as used toencrypt the other data stored on the SED 503). For example, the databackup system 504 can receive, from the LKM system 502, the encryptionkey currently being used by the SED 503 to encrypt and decrypt data. Thedata backup system 504 can use the encryption key to decrypt theencrypted data already stored on the SED 503. The data backup system 504can then extract encrypted backup data from the decrypted data of theentire SED 503 and decrypt the backup data using a key previously usedby the data backup system 504 to encrypt the backup data. The databackup system 504 can then perform a data backup of the SED 503 (e.g., adata backup of the encrypted data or a data backup of the decrypteddata, where the data backup system 504 decrypts the encrypted data usingthe received encryption key) and replace the old decrypted backup datawith new backup data. The data backup system 504 can receive anotherencryption key from the LKM system 502 or another LKM system local tothe data backup system 504 and use this encryption key to encrypt thenew data backup before storing the new, encrypted data backup on the SED503. The new, encrypted data backup on the SED 503 may be stored with adifferent encryption flag to identify the data as being encrypted with adifferent key than the key used to encrypt the other data stored on theSED 503. The data on the SED 503, including (or not including) the new,encrypted data backup, may then be encrypted using a new key provided bythe LKM system 502.

If the user requests a data restore, the data backup system 504 can usethe encryption key to decrypt the encrypted data already stored on theSED 503. The data backup system 504 can then extract encrypted backupdata from the decrypted data of the entire SED 503 and decrypt thebackup data using a key previously used by the data backup system 504 toencrypt the backup data. The data backup system 504 can then initiate arestore of the decrypted backup data. The backup data can be restored tothe SED 503 and/or transmitted to the user. Once the restore iscomplete, the data backup system 504 can re-encrypt the decrypted backupdata and store the encrypted backup data on the SED 503 (and re-encryptall of the data stored on the SED 503 as described above).

Thus, in some embodiments, the data backup is encrypted by the databackup system 504 using a first encryption key and then the encrypteddata backup (along with the other data stored on the SED 503) isencrypted again by the SED 503 using a second encryption key. The databackup system 504 can be a standalone component in the encryption keymanagement system 205 or the functionality described above for the databackup system 504 can be performed by the one or more backup repositoryservers 209.

In an embodiment, the encryption key management system 205 produces,controls, and/or distributes symmetric encryption keys using NISTFIPS-compliant key management technology and processes. The encryptionkey management system 205 can also produce, control, and/or distributeasymmetric encryption keys using NSA-approved key management technologyand processes. The encryption key management system 205 may obtainpublic key certificates under an appropriate certificate policy from anapproved service provider.

In an embodiment, the multi-node environment employs cryptographicsecurity controls to protect the confidentiality and integrity of datathrough the deployment of hardware and software solutions throughout theenvironment. The cryptographic security controls protect data, whetherat rest or in transit.

Encryption Key Management System Redundancy

FIG. 6 illustrates the redundancy of the encryption key managementsystems 205A-B between nodes 110A-B. FIG. 6 illustrates the interactionbetween the encryption key management systems 205A-B of nodes 110A-B,respectively, but the techniques disclosed herein can apply to any pairor set of nodes 110A-N. As illustrated in FIG. 6, the node 110A includesan encryption key management system 205A that includes an EKM system501A, a primary LKM 601A, and a secondary LKM 602A. Similarly, the node110B includes an encryption key management system 205B that includes anEKM system 501B, a primary LKM 601B, and a secondary LKM 602B.

In an embodiment, the primary LKMs 601A-B are active in normal operationand the secondary LKMs 602A-B are used for disaster recovery. The EKMsystem 501A can communicate with the EKM system 501B (and any other EKMsystem of any other node 110C-N) via the switch 212A, the SIEM system201A, the private network 101, the SIEM system 201B, and the switch212B. The EKM systems 501A-B can communicate, for example, so that bothEKM systems 501A-B include the encryption keys generated by the otherEKM system 501A-B (and/or the other EKM systems in the multi-nodeenvironment) so that an encryption key management system of one node canoperate in place of another encryption key management system of anothernode when that encryption key management system in the other node isdown or inactive.

For example, the secondary LKM 602A may be a backup copy of the primaryLKM 601B. Similarly, the secondary LKM 602B may be a backup copy of theprimary LKM 601A. The primary LKMs 601A-B may periodically be backed upso that the secondary LKMs 602A-B have current data. The EKM system 501Aand/or the primary LKM 601A (via the EKM system 501A) of the node 110Acan monitor the primary LKM 601B of the node 110B by periodicallypolling the primary LKM 601B (e.g., and determining that the LKM 601B isactive if a response to the poll is received). If the primary LKM 601Bbecomes unavailable or inactive (as determined by the polling of theprimary LKM 601B), the primary LKM 601A and/or the EKM system 501Aactivates the secondary LKM 602A, which then functions as the primaryLKM of the node 110B. The secondary LKM 602A can operate as the primaryLKM of the node 110B because of the exchange of encryption keys betweenthe EKM systems 501A-B and/or because of the periodic backups of theprimary LKM 601B (which are stored in the secondary LKM 602A).

If the primary LKM 601B becomes active again (as determined by thepolling of the primary LKM 601B), the secondary LKM 602A synchs with theprimary LKM 601B so that the primary LKM 601B has the most up-to-dateinformation. The secondary LKM 602A then ceases to function as theprimary LKM of the node 110B and the primary LKM 601B resumes normaloperation as described herein.

Example Process for Providing an Encryption Key to an SED

FIG. 7 illustrates a process 700 that may be implemented by the LKMsystem 502 to provide an encryption key to an SED, such as the SED 503.The process 700 begins at block 702.

At block 702, a request for an encryption key is received from aself-encrypting drive. The self encrypting drive may request theencryption key to encrypt data received from an IoT device, such as theelectronic device 211 (e.g., settings or device parameter information).

At block 704, a request for the encryption key is transmitted to theenterprise key management system. The request may be transmitted to theenterprise key management system in response to receiving the requestfrom the self encrypting drive.

At block 706, the encryption key is received from the enterprise keymanagement system. In an embodiment, the LKM system 502 storesinformation associating the received encryption key with the selfencrypting drive that requested the encryption key. Such information caninclude an encryption key identifier, a rotation policy associated withthe encryption key, and/or the like.

At block 708, the encryption key is transmitted to the self encryptingdrive. The self encrypting drive may use the encryption key to encryptand/or decrypt data stored in the self encrypting drive.

Example Data Packet Analysis

FIG. 8 illustrates an example data packet inspection flow 800 that maybe implemented in any node, such as node 110A. As illustrated in FIG. 8and described herein, the node 110A can receive and transmit datapackets via the private network 101 and/or via the public network 210.The node 110A may analyze these data packets for threat detectionpurposes. For example, the SIEM system 201 (e.g., the active threatdetector 203 and/or the firewall 204) of the node 110A performs the datapacket analysis.

In some embodiments, the node 110A performs a different type of datapacket analysis based on the source and/or destination of the respectivedata packet. For example, if a data packet originates from another node(e.g., node 110B, node 110C, etc.) and is transmitted over the privatenetwork 101, then the SIEM system 201 performs a first type of analysis,conceptually represented at location 806. If a data packet originatesfrom an external device (e.g., one of electronic devices 211) and istransmitted over the public network 210 or cellular network 220 (notshown), then the SIEM system 201 performs a second type of analysis,conceptually represented at location 802, and/or a third type ofanalysis, conceptually represented at location 804. Details on thedifferences between the different types of analyses are described below.

The SIEM system 201 may dedicate computing resources to perform one ormore of the analyses. For example, to perform an analysis, the SIEMsystem 201 can create an isolated environment to which a set ofcomputing resources, such as computer memory, processing power, etc., isdedicated. The computing resources may be used by the SIEM system 201 toexecute, inspect, or otherwise process the contents of data packets. Theisolated environment may help prevent the contents of such data packetsfrom accessing other resources in the node 110A and/or may help preventunauthorized or unintended actions from being executed by the contentsof such data packets.

The computing resources dedicated to an isolated environment may bedifferent depending on the type of analysis to be performed using thecomputing resources. For example, because the analysis performed by theSIEM system 201 may be different depending on the source and/ordestination of a data packet, different computing resources can bededicated for a particular type of analysis such that the SIEM system201 can perform specific and different functions that are tailoredtoward the types of threats that may originate from transmissions viathe private network 101 and/or transmissions via the public network 210or cellular network 220 (not shown).

As described herein, the node 110A may receive data packets fromexternal devices through the public network 210 or through the cellularnetwork 220 (not shown). In some instances, such data packets may beunsecure—the contents of the data packets may include malware, corrupteddata, or otherwise suspicious information. The second type of analysisperformed by the SIEM system 201, conceptually represented at thelocation 802, may be deployed to analyze inbound data packetstransmitted over the public network 210 and/or the cellular network 220(not shown) for threats. During the second type of analysis, the STEMsystem 201 can retrieve the third party threat data received fromexternal sources. The SIEM system 201 may then perform external threatmanagement by, for example, analyzing the inbound data packets using thethird party threat data. For example, the third party threat data caninclude lists or ranges of suspicious or malicious IP addresses and theSIEM system 201 can compare the inbound data packets with these IPaddresses to identify suspicious data packets (e.g., the SIEM system 201can analyze the header of an inbound data packet to see if the headerincludes a malicious IP address as a source address or destinationaddress). If a match is found, the corresponding data packet or packetsare dropped and blocked from further entry into the node 110A. Asanother example, the third party threat data can include threatsignatures, which are digital signatures of existing, known threats thatcan be received from external sources and stored in the node 110A (e.g.,in a data storage device accessible by the active threat detector 203and/or the firewall 204). The SIEM system 201 can generate signatures ofinbound data packets (e.g., using the same digital signature algorithmas used to generate the threat signatures) and compare the generatedsignatures with the threat signatures. If a match is found, thecorresponding data packet or packets are dropped and blocked fromfurther entry into the node 110A. The SIEM system 201 may use one of aplurality of digital signature algorithms, such as the Digital SignatureAlgorithm (DSA) specified in FIPS 186-1 or its successors, a messagedigest algorithm such as MD5, or other like algorithms to generate theinbound data packet signatures.

One or more data packets that are not dropped or blocked based on thesecond type of analysis may be further inspected by the SIEM system 201using the third type of analysis, conceptually represented at thelocation 804. During the third type of analysis, the SIEM system 201 mayperform malware and/or behavioral analysis, which takes into accountparameters and constraints of the node 110A and/or the public network210 or the cellular network 220 (not shown). For example, the SIEMsystem 201 may store behavior information related to the types of datapackets normally transmitted and received via the public network 210 (orthe cellular network 220) and the source and/or destination of such datapackets. The SIEM system 201 may then inspect the source and/ordestination addresses of current data packets and drop data packets thatinclude unusual source and/or destination addresses as indicated by thebehavior information. As another example, the SIEM system 201 may storepermitted source and/or destination addresses. The SIEM system 201 mayblock data packets with an address outside of the permitted addressvalues. Behavioral analysis may be performed on malware. For example, amalware specimen may be analyzed for its interactions with computingresources such as file systems, operating system processes and/orcomponents, networks, etc. The STEM system 201 may provide behaviormonitoring tools and create an isolated environment in the system topermit behavioral analysis. The SIEM system 201 may perform behavioralanalysis through allowing a malware specimen to infect the isolatedenvironment, analyze interactions of the malware with computingresources, and/or modify computing resources available to the isolatedenvironment to analyze the malware's behavior (e.g., changes in responseto modification of available computing resources).

The SIEM system 201 can additionally inspect outbound data packets(e.g., data packets transmitted by the node 110A over the public network210 or the cellular network 220). Such inspection may be performed forthe purpose of data logging and event management (e.g., logging trafficevents to particular destination addresses).

The third type of analysis may be a deeper, more granular analysis thanthe second type of analysis. For example, the SIEM system 201 may commita larger amount of computing resources to perform the third type ofanalysis as compared to the second type of analysis. The third type ofanalysis may also be more resource intensive than the second type ofanalysis, resulting in a longer analysis period as compared to thesecond type of analysis.

As described herein, the node 110A may be coupled to other nodes (e.g.,nodes 110B and 110C) within the multi-node environment via the dedicatedprivate network 101. The SIEM system 201 of node 110A may route datatraffic to and from an external network, such as the public network 210,and/or to and from another node in the multi-node environment. The SIEMsystem 201 may perform the first type of analysis to inspect datatraffic between two nodes on the dedicated private network 101,conceptually represented at the location 806. The SIEM system 201 caninspect both inbound and outbound data packets (e.g., the SIEM system201 in node 110A may inspect data packets transmitted from node 110A tonode 110B and/or transmitted from node 110B to node 110A). A neighboringnode (e.g., node 110B) can also have the ability to perform the firsttype of analysis when receiving data transmitted by the node 110A or anyother node in the multi-node environment. Thus, an inspection tag may beattached to a data packet by the SIEM system 201 of the node 110A aftercompleting the first type of analysis such that the receiving node(e.g., node 110B) does not repeat the analysis. For example, thisinspection tag indicates whether a corresponding data packet has beeninspected by an STEM system 201 in a node within the dedicated privatenetwork 101. The SIEM system 201 may be configured to not inspect datapackets that include inspection tags indicating that the respective datapackets have already been inspected by another SIEM system 201 in themulti-node environment, thereby eliminating duplicate inspections andincreasing efficiency. As an example, the SIEM system 201 may performfirewall blocking, port analysis, and/or in-line blocking during thefirst type of analysis. These techniques can block exploits based on ananalysis of the internal usage of the contents of a data packet. ForExample, a Permanent Virtual Circuit (PVC) can be defined by the STEMsystem 201 and used to connect an external server to the SIEM system201. A specific port number may be assigned to a particular server. Datatransferring from the server across the PVC can then be restricted touse that assigned specific port number. The firewall can be configuredto permit only traffic across this port and block all other traffic. Thefirewall can inspect the packet header for permitted IP source anddestination addresses and for permitted port access. For example,specific services such as Mail (Simple Mail Transfer Protocol or SMTP,Post Office Protocol or POP) and WEB (HTTP port 80, SSL port 443) arecommonly used to move specific data through designated ports relative totheir services. The STEM system 201 can be configured to permit onlytraffic through a port designated to the traffic type.

In relation to the components of the multi-node environment illustratedin FIG. 2A, inbound data traffic can enter node 110A through eitherpublic network 210 or private network 101, pass through router 202,active threat detector 203, and firewall 204, and be received by switch212 if the second and/or third type of analyses do not result in thedropping or blocking of the data packet. Outbound data packets may passthrough switch 212, firewall 204, active threat detector 203, and router202 to either public network 210 or private network 101. Although bothpublic network 210 and private network 101 traffic share the samephysical routes within node 110A, the active threat detector 203 and/orthe firewall 204 can distinguish public network 210 data packets fromprivate network 101 data packets based on, for example, addresses withinthe data packets. The active threat detector 203 and/or the firewall 204can then perform the types of analyses intended for the respective typesof traffic. Border Gateway Protocol is an example protocol which mayenable traffic management and differentiation.

In an embodiment, the SIEM system 201 performs the first, second, and/orthird type of analysis on all data packets transmitted or received viathe public network 210, the cellular network 220 (not shown), or theprivate network 101. In other embodiments, the SIEM system 201 performsthe first, second, and/or third type of analysis on selected datapackets. For example, a data packet may be selected for the first,second, and/or third type of analysis based on a configuration of theactive threat detector 203 and/or the firewall 204 (e.g., the componentsmay be configured to analyze certain types of data packets, data packetsthat have a certain source address, etc.). As another example, a datapacket may be selected for the third type of analysis if the data packetwas selected for the second type of analysis (and passed the second typeof analysis). As another example, a data packet may be selected for thefirst, second, and/or third type of analysis based on a received threatalert (e.g., the STEM system 201 has been notified by an external sourceor another node in the multi-node environment that a threat is expectedor an attack has occurred). The STEM system 201 may select the first fewand/or last few data packets of a data flow when a threat alert isreceived. As another example, a data packet may be selected for thefirst, second, and/or third type of analysis if data packets similar toa received or transmitted data packet were dropped or blocked in thepast.

Integrated Control and Data Management Interface

Generally, data is collected by various devices and then pushed to acentralized database. Once at the centralized database, the data can beprocessed (e.g., batch, Hadoop, etc.) and displayed to a user. However,the transfer of data to the centralized database can pose a securityrisk and cause network latency. For example, the data is oftentransferred over a public network, such as the Internet, leaving thedata vulnerable to interception by malicious actors. Often, the amountof data collected by the various devices is very large (e.g., gigabytesto terabytes of data) and the transfer of the data to the centralizeddatabase can reduce the amount of bandwidth available for other traffic.To avoid these issues, the data could be stored locally to the device orsystem that generated the data. However, it may be difficult to processdata across different systems given that each of the systems may resideon a separate private network and the data may be stored in incompatibleformats.

Accordingly, described herein is an integrated control and datamanagement interface that can avoid the issues described above. Forexample, data may be stored in databases local to the devices or systemsthat generated the data. The devices and/or systems may also bephysically coupled to the same private network. The integrated controland data management interface can function in the control plane of theprivate network, thereby gaining access to the databases without havingto access a public network (e.g., the integrated control and datamanagement interface can connect to the databases “out-of-band” (e.g.,via a private network) rather than “in-band” (e.g., via a publicnetwork)). The integrated control and data management interface can alsoaccess and/or process data stored in the databases local to the devicesor systems via calls (e.g., application program interface (API) calls)to the various databases. The structure of the calls may remain staticsuch that even if the formatting or mapping of the data in one or moreof the databases changes, the integrated control and data managementinterface can still use the same calls to access and/or process thedata. In this way, the integrated control and data management interfacecan provide a single user interface for device interaction and analysis.

FIG. 9 illustrates an example integrated control and data managementinterface network 900. As illustrated in FIG. 9, integrated control anddata interface 910 is an example integrated control and data managementinterface described above. The integrated control and data interface 910can be any physical computing system, such as a mobile device, desktop,workstation, server, and/or the like. The integrated control and datainterface 910 can execute message-oriented middleware (MOM) thatsupports the sending and receiving of messages between nodes 110A-N anddatabases 920A-N

In an embodiment, the integrated control and data interface 910communicates with the private network 101 via a controller 915. Forexample, the controller 915 can represent a network operation center (ora network management center) that includes network monitoring equipmentto control, manage, or otherwise monitor the private network 101. Thecontroller 915 may also include a route optimization system (e.g., aMANAGED INTERNET ROUTE OPTIMIZER controller) that automatically managesnetwork protocols (e.g., Border Gateway Protocol (BGP)) and re-routestraffic. Thus, the integrated control and data interface 910 can accessthe control plane of the private network 101 via the controller 915. Inalternative embodiments, the integrated control and data interface 910communicates directly with the private network 101.

The databases 920A-N can be databases that store data local to a systemor device. For example, the databases 920A-N can each be associated witha third party and store data generated by the respective third party.The third parties can be any system or service that generates data, suchas a network-accessible ticketing service, a system of sensors (e.g.,sensors associated with oil wells or oil pipelines), a credit cardprocessing service, and/or the like.

The nodes 110A-N and databases 920A-N may each be physically located indifferent geographic locations. However, the nodes 110A-N and thedatabases 920A-N may have access to the private network 101 and othernetworks, such as public networks (not shown). Thus, the integratedcontrol and data interface 910 can communicate with the nodes 110A-N andthe databases 920A-N via the private network 101, thereby avoidingpublic networks, such as the public network 210 or the cellular network220, and the data vulnerabilities associated with such networks.

The integrated control and data interface 910 can use calls (e.g., APIcalls) to query the databases 920A-N and/or the databases of the nodes110A-N (e.g., storage servers 208) via the private network 101. Forexample, the integrated control and data interface 910 can transmit aquery call to the database 920A via the private network 101. Instead ofcreating artifacts associated with the data stored in the database 920A(which can contaminate data and/or results) and/or using private network101 bandwidth to transfer the data stored in the database 920A to theintegrated control and data interface 910, the integrated control anddata interface 910 can construct the query call such that any processingassociated with the query call is executed locally by the database 920A(or the system operating the database 920A) and a processed result istransmitted to the integrated control and data interface 910 (e.g., aresult that includes a response to the query). The integrated controland data interface 910 can transmit the same query to multiple nodes110A-N and/or databases 920A-N such that the integrated control and datainterface 910 effectively processes data stored locally in differentdatabases as if the data was actually all stored in a centralizeddatabase.

In addition, the integrated control and data interface 910 can displaythe results of a query (or stored data) within a single interface, suchas a single user interface, without creating multiple connections todifferent nodes 110A-N and/or databases 920A-N. For example, generallyto be able to view data stored in database 920A and data stored indatabase 920B, a device would need to establish a first connection(e.g., a first tunnel) with the database 920A, collect the desired datafrom the database 920A, close the first connection, separately establisha second connection (e.g., a second tunnel) with the database 920B, andthen collect the desired data from the database 920B. The connectionsmay be serially established and closed because the connections aresecure and a device generally cannot establish multiple secureconnections at once, especially when such connections require the deviceto connect with a network outside of the network to which the device isassociated.

However, here, the integrated control and data interface 910 may notneed to establish two separate connections to access the data stored inthe databases 920A-B. Instead, the integrated control and data interface910 can use the internal routing protocol of the private network 101(because the integrated control and data interface 910 access theprivate network 101 via the control plane) to communicate with thevarious nodes 110A-N and/or the databases 920A-N. For example, thedatabase 920A may be assigned an internal network address. Theintegrated control and data interface 910 can use this internal networkaddress to access the database 920A (where the internal routing protocolroutes packets such that any calls initiated by the integrated controland data interface 910 are received by the database 920A). Thus, thereis no need to serially establish and close connections to the nodes110A-N and/or the databases 920A-N. The integrated control and datainterface 910 can access multiple nodes 110A-N and/or the databases920A-N at the same time (e.g., the internal network address of thedatabase 920A can be used to display database 920A data in a firstwindow of the user interface and the internal network address of thedatabase 920B can be used to display database 920B data in a secondwindow of the user interface concurrently with the first window).

Double-Encryption Network Connection

As described above with respect to FIG. 5, a node 110 can include anencryption key management system 205, where the encryption keymanagement system 205 includes the EKM system 501, the LKM 502, and oneor more SEDs 503. As described above with respect to FIG. 6, the EKMsystem 501 of one node 110 can communicate with the EKM system 501 ofanother node 110 so that both EKM systems 501 can exchange generatedencryption keys. In some embodiments, a node 110 can include theencryption key management system 205 and one or more separate encryptionkey management systems that are each associated with a specific user.The encryption key management system 205 and the one or more separateencryption key management systems can be used to secure a networkconnection between the node 110 and a user system, as described belowwith respect to FIG. 10.

FIG. 10 illustrates a double-encryption environment between a node 110Aand a user system 1050. As illustrated in FIG. 10, the node 110Aincludes the SIEM system 201A, the switch 212A, the encryption keymanagement system 205A, other components of the node 110A illustrated inFIGS. 2A-2B, and a user encryption key management system 1005A. The userencryption key management system 1005A may include the same componentsas the encryption key management system 205A. For example, the userencryption key management system 1005A includes an EKM system 1051A, anLKM 1052A, and one or more SEDs 1053A. The user encryption keymanagement system 1005A may be associated with a specific user (e.g.,the user that manages the user system 1050) and may be isolated fromother components of the node 110A aside from the switch 212A. Forexample, the data stored in the one or more SEDs 1053A may haverestricted access such that only certain components of the node 110A canaccess such data (e.g., the one or more processing servers 206 mayaccess the data via the switch 212A to perform one or more actions atthe request of the user system 1050). While the node 110A is depicted ashaving a single user encryption key management system 1005A, this is notmeant to be limiting. The node 110A can include any number of userencryption key management systems, where each user encryption keymanagement system is associated with a different user and/or user system1050.

The node 110A may communicate with a network manager 1010 via the SIEMsystem 201A using a private network 1001 (e.g., a privately accessiblenetwork of linked networks, possibly operated by various distinctparties, such as a personal area network, local area network, wide areanetwork, cable network, satellite network, cellular telephone network,etc. or combination thereof, each with access to and/or from theInternet) only accessible to the network manager 1010 and the node 110A.Likewise, the user system 1050 may communicate with the network manager1010 using the public network 210. Thus, the node 110A and the usersystem 1050 may communicate via the private network 1001 and the publicnetwork 210. Connection 1020 between the STEM system 201A and thenetwork manager 1010 over the private network 1001 may have doubleencryption, whereas connection 1022 between the network manager 1010 andthe user system 1050 over the public network 210 may have singleencryption, as described in greater detail below.

The network manager 1010 may be a system that includes computer hardware(e.g., a processor, memory, modem, etc.) and that is managed by anetwork provider, such as an Internet service provider. The networkprovider may manage at least some components within the public network210. The network provider may also manage the private network 1001 aloneor in conjunction with the entity managing the node 110A. The networkmanager 1010 may serve as an interface between the private network 1001and the public network 210. In some embodiments, the network manager1010 can function as a firewall by blocking data packets from beingtransmitted within the private network 1001 if such data packets or thedata within such data packets are not encrypted.

The user system 1050 may be a system managed by a user that locallystores user data (e.g., data measured by electronic or IoT devices 211,transactional data, medical data, etc.). The user system 1050 mayinclude a user encryption key management system 1005B that includes thesame components as the user encryption key management system 1005A. Forexample, the user encryption key management system 1005B may include theEKM system 1051B, the LKM 1052B, and one or more SEDs 1053B. The one ormore SEDs 1053B may store user data in an encrypted format (e.g.,encrypted using encryption keys generated by the EKM system 1051B). Theuser system 1050 may also include other storage devices, not shown, forlocally storing user data. As an illustrative example, the user system1050 can be a system located on the premises of an entity (e.g., amanufacturing company, a pipeline operator, a credit card company, ahospital, etc.) that manages and/or owns the user data.

Because the user encryption key management system 1005A is associatedwith the user system 1050, the user encryption key management system1005A and the user encryption key management system 1005B maycommunicate with each other (e.g., the EKM system 1051A and the EKMsystem 1051B may communicate with each other) to facilitate keyexchange. The key exchange may take place to encrypt a connectionbetween the node 110A and the user system 1050 and to allow the node110A to process user data. For example, while the user data may bestored locally in the user system 1050 (and therefore secure), theamount of user data may be large (e.g., gigabytes, terabytes, etc.) andthe cost of processing such data (e.g., aggregating the data,identifying trends in the data using machine-learning or othertechniques, filtering the data, etc.) may be high (e.g., financiallyexpensive and expensive in terms of computing resources needed toprocess the large amount of data). Thus, the processing resourcesavailable to the node 110A could be leveraged to perform the desireddata processing. However, as described herein, the user data may beextremely sensitive and/or confidential. Accordingly, it may beimportant for a connection to be secure before a copy of some or all ofthe user data is transferred across a network.

To secure the connection 1020 and the connection 1022, the EKM system1051A or 1051B can generate an encryption key that is used to encryptsome or all of the data transferred across the connections 1020 and1022. For example, user data stored in the one or more SEDs 1053B may beencrypted. The LKM 1052B can retrieve an encryption key to allow the oneor more SEDs 1053B to decrypt the user data to be transmitted to thenode 110A for processing. The LKM 1052B can then receive the sameencryption key or another encryption key from the EKM system 1051B toencrypt the user data for transport across the connection 1022 and theconnection 1020. Alternatively, the SEDs 1053B does not decrypt the userdata and the encrypted user data is transmitted to the node 110A.

The encrypted user data passes through the connection 1022 and arrivesat the network manager 1010. The EKM system 501 of the encryption keymanagement system 205A may generate a second, separate encryption keythat is used to encrypt data traveling along the connection 1020. Forexample, the EKM system 501 may transmit the second encryption key tothe network manager 1010. The network manager 1010 can then encrypt theencrypted user data using the second encryption key. Thus, the user datais encrypted twice. The network manager 1010 can then forward thedouble-encrypted user data along the connection 1020 to the SIEM system201A.

The STEM system 201A passes the double-encrypted user data to the switch212, which then forwards the double-encrypted user data to the userencryption key management system 1005A. The user encryption keymanagement system 1005A can request the second encryption key from theencryption key management system 205A via the switch 212A and decryptthe outer encryption layer of the double-encrypted user data using thesecond encryption key. Alternatively, the SIEM system 201A or the switch212A can request the second encryption key from the encryption keymanagement system 205A and decrypt the outer encryption layer of thedouble-encrypted user data or the double-encrypted user data can bepassed to the encryption key management system 205A for decryption ofthe outer encryption layer.

Because the user data is also encrypted using an encryption keygenerated by the EKM system 1051B, the EKM system 1051B coordinates withthe EKM system 1051A to indicate the encryption key that was used toencrypt the user data. The EKM system 1051B can either forward theencryption key to the EKM system 1051A (e.g., by encrypting theencryption key using another encryption key available to the EKM system1051A and transmitting the encrypted encryption key along theconnections 1020 and 1022) or provide the information necessary for theEKM system 1051A to generate and/or retrieve the same encryption key.For example, both EKM systems 1051A-B may use the same techniques togenerate encryption keys such that each generates encryption keys in thesame order or sequence. The EKM system 1051B can then indicate to theEKM system 1051A which encryption key in sequence was used to encryptthe user data, which then allows the EKM system 1051A to generate and/orretrieve the appropriate encryption key for decryption of the encrypteduser data.

Once the encryption key is identified, the user encryption keymanagement system 1005A can use the encryption key to decrypt the nowsingle-encrypted user data and send the decrypted user data to the oneor more processing servers 206 via the switch 212A. The user system 1050may separately transmit an instruction to the node 110A via theconnections 1020 and 1022 that instructs the node 110A to perform acertain operation (e.g., data aggregation, trend identification, datafiltering, etc.) such that the one or more processing servers 206perform the appropriate actions on the decrypted user data.Alternatively, the instruction can be sent in conjunction with theencrypted user data (e.g., the instruction may be encrypted as well and,after the instruction is decrypted, the user encryption key managementsystem 1005A can transmit the decrypted instruction to the one or moreprocessing servers 206 via the switch 212A such that the one or moreprocessing servers 206 process the user data accordingly to thedecrypted instruction).

After the decrypted user data is processed, the processed user data istransmitted by the one or more processing servers 206 back to the userencryption key management system 1005A via the switch 212A. The userencryption key management system 1005A can encrypt the processed userdata using an encryption key generated by the EKM system 1051A orreceived from the EKM system 1051B (e.g., either the same encryption keyused to encrypt the user data when transmitted by the user system 1050or a different encryption key). The user encryption key managementsystem 1005A can then request an encryption key from the encryption keymanagement system 205A to use for encrypting the encrypted processeduser data. The encryption key provided by the encryption key managementsystem 205A can be the same second encryption key used to encrypt theencrypted user data by the network manager 1010 or a differentencryption key. Alternatively, the encrypted processed user data can bepassed to the switch 212A, the SIEM system 201A, and/or the encryptionkey management system 205A to encrypt the processed user data a secondtime. Thus, the processed user data is encrypted twice: once using anencryption key provided by the user-specific user encryption keymanagement system 205A and once again using an encryption key providedby the encryption key management system 205A.

The double-encrypted processed user data can then be transmitted by thenode 110A to the network manager 1010 along the connection 1020 throughthe private network 1001. The network manager 1010 can then use theencryption key provided by the encryption key management system 205A todecrypt the outer encryption layer of the double-encrypted processeduser data. The network manager 1010 can then transmit the nowsingle-encrypted processed user data to the user system 1050 along theconnection 1022 through the public network 1022. Once the user system1050 receives the single-encrypted processed user data, then EKM system1051B can provide an encryption key that can be used to decrypt theencrypted processed user data (e.g., based on communications with theEKM system 1051A to identify which encryption key was used to encryptthe processed user data and/or to receive the encryption key used toencrypt the processed user data). The decrypted processed user data canthen be stored in the one or more SEDs 1053B and/or other storagesystems. When stored in the one or more SEDs 1053B, the decryptedprocessed user data may be encrypted using an encryption key provided bythe EKM system 1051B via the LKM 1052B.

While FIG. 10 depicts one user system 1050, this is not meant to belimiting. For example, multiple user systems may connect with thenetwork manager 1010 via the public network 210. Data transmittedbetween the network manager 1010 and the various user systems (e.g., viaconnection 1022 and other connections, not shown) may be encrypted usingan encryption key provided by the EKM system 1051 of the respective usersystem. Data transmitted between the network manager 1010 and the node110A (e.g., via connection 1020) may be double-encrypted, where the dataencrypted using the encryption keys provided by the EKM system 1051 ofthe respective user system is encrypted again using an encryption keyprovided by the EKM system 501 of the encryption key management system205A. Thus, the connection 1020 may carry multiple channels ofdouble-encrypted data, where data in each channel is encrypted using acommon encryption key (e.g., the encryption key provided by the EKMsystem 501 of the encryption key management system 205A) and a uniqueencryption key (e.g., the encryption key provided by the EKM system 1051of the user system associated with the respective data). Alternatively,data in each channel can be encrypted using unique encryption keys(e.g., the EKM system 501 of the encryption key management system 205Acan provide different encryption keys to the network manager 1010, onefor each channel).

Device Worlds

As described herein, a user can access a node 110A-N to provide logininformation and attributes or parameters for an IoT device, such as oneof the electronic devices 211, 311, and/or 411. Electronic deviceattributes or parameters (e.g., IoT device attributes or parameters) caninclude device settings (e.g., a time of day that the electronic deviceoperates, a temperature value if the electronic device is a thermostat,etc.), device measurements, and/or any other values that define thecharacteristics of or the behavior of the electronic device.

When providing the login information and attributes or parameters, theuser can also group electronic devices into the same environment ordevice world and assign global parameters (e.g., world parameters) tothe device world. As used herein, a “device world” is a user-definedgrouping or aggregation of electronic devices, where each electronicdevice in the device world is configured to operate according to theglobal parameters assigned to the device world. The electronic devicesgrouped into the same device world can be related. For example, a usermay operate a pipeline. The electronic devices may be sensors thatmeasure various parameters associated with the pipeline, such astemperature, pressure, flow, etc. Because the electronic devices areused to monitor the same structure (e.g., the pipeline), a set of globalparameters may govern how the electronic devices operate. As anotherexample, a first electronic device can be a thermostat and a secondelectronic device can be a wearable human body monitor. The first andsecond electronic devices may be configured with a set of globalparameters such that the temperature of the person wearing the wearablehuman body monitor has a constant body temperature.

Using the provided login information, the node 110A-N can periodicallypoll the electronic devices in a device world, a server that manages theelectronic devices in the device world (e.g., the server 230), and/orelectronic devices not assigned to any device world to determine whetherthe electronic devices are operating according to the device attributesand/or the global parameters. If the node 110A-N polls the electronicdevices directly and determines that an electronic device is operatingoutside of the defined device attributes and/or global parameters, thenode 110A-N can generate an alert or notification to inform the userthat the electronic device is operating incorrectly and/or can transmita message to the electronic device to instruct the electronic device toadjust the device parameter that has caused the electronic device tooperate outside of the defined device attributes and/or globalparameters. If the node 110A-N polls the server that manages theelectronic devices and determines that an electronic device is operatingoutside of the defined device attributes and/or global parameters basedon the feedback provided by the server, the node 110A-N can generate analert or notification to inform the user that the electronic device isoperating incorrectly and/or can transmit a message to the servermanaging the electronic device to instruct the electronic device toadjust the device parameter that has caused the electronic device tooperate outside of the defined device attributes and/or globalparameters.

On-Premise to Cloud

FIGS. 11A-11E are block diagrams of an “on-premise to cloud” environment1100 in which data managed by an entity (e.g., an individual, a company,a business, etc.) and stored locally at the entity's place of operation(e.g., in one or more servers 1110 located at the place of operation)and/or stored at a location accessible by the entity (e.g., in one ormore servers 1110 at a data center) can be securely transmitted to anode 110A-N via the public network 210, the cellular network 220, and/orthe private network 101. For example, as illustrated in FIG. 11A, theentity's place of operation and/or the data center may include acomputing system 1120 (e.g., with one or more hardware processors,memory, a network interface, a bus, etc.) that functions as across-domain guard (referred to herein as a cross-domain guard device1122) and a network gateway 1124 (e.g., a DISPERSIVE virtualized network(DVN) gateway). A “data center” may refer to a portion of a building orother physical structure, a building or other physical structure,portions of a set of buildings and/or other physical structures, or aset of buildings and/or other physical structures used to housecomputing systems (such as one or more servers 1110) and associatedcomponents or devices (e.g., networking or telecommunication components,storage components, power supplies, etc.) that are used to store,process, and/or communicate data. The entity's place of operation and/orthe data center may be referred to herein as “on-premise” or “on-prem.”

The cross-domain guard device 1122 may be positioned logically betweenthe server(s) 1110 that store entity data and the network gateway 1124.The cross-domain guard device 1122 may control whether data can passfrom one security domain to another security domain. Unlike a firewall,the cross-domain guard device 1122 does not simply transmit individualdata packets at the transmission control protocol (TCP)/Internetprotocol (IP) layer. Rather, the cross-domain guard device 1122 may beconfigured with computer-executable instructions that, when executed,cause the cross-domain guard device 1122 to inspect the content of datapackets received from the network gateway 1124 and destined for theserver(s) 1110 storing entity data and/or to inspect the content of datapackets received from the server(s) 1110 storing entity data anddestined for the network gateway 1124 (and other systems). Inparticular, the cross-domain guard device 1122 can assembly one or moredata packets into a single message within a sandboxed environment, andthen analyze content of the single message to determine whether thecontent satisfies one or more rules. Based on the analysis, thecross-domain guard device 1122 may allow the data packet(s) to pass(e.g., if the analysis results in a determination that the singlemessage does not include words, files, macros, attachments, and/or othercontent that are not allowed to be sent to the destination given thedestination's security domain level, as determined by one or morerules), may redirect the data packet(s) (e.g., for further analysis),may drop the data packet(s) (e.g., if the analysis results in adetermination that the single message includes words, files, macros,attachments, and/or other content that is not allowed to be sent to thedestination given the destination's security domain level, as determinedby one or more rules), and/or may quarantine the data packet(s) (e.g.,for further analysis). In some embodiments, the cross-domain guarddevice 1122 may translate one or more data packets into a common formatprior to the analysis.

The cross-domain guard device 1122 can therefore prevent sensitive data(e.g., classified data) from being transmitted to an unsecure domain. Ingeneral, the cross-domain guard device 1122 can prevent data with a highclassification from being transmitted to a domain with a lowclassification, but can allow data with a low classification to betransmitted to a domain with a high classification.

The network gateway 1124 may be configured to communicate with othernetwork gateways 1124 present in other systems via the public network210 and/or the cellular network 220. In particular, the network gateway1124 may run an application that intercepts data packets at Layer 2, 3,and/or 4. The application can then communicate with a session controller(e.g., a hardware device located external to the entity's place ofoperation, the data center, and/or the destination system) that canconfirm that the network gateway 1124 is allowed to communicate withanother network gateway 1124, can establish communication protocols fora session, and/or can inform the source network gateway 1124 (e.g., thenetwork gateway present in the entity's place of operation and/or thedata center) and the destination network gateway 1124 (e.g., a networkgateway operating in a node 110, as described in greater detail below)of which network paths to use to transmit data. The application runningon the source network gateway 1124 can then, once one or more datapackets are received, split the data packet(s) into one or moresub-packets, where the sub-packets are not duplicates of each other. Theapplication can then transmit, to the destination network gateway 1124over the public network 210 and/or the cellular network 220, eachsub-packet over a different, independent network path identified by thesession controller. Each network path may include a device referred toas a “deflect,” which relays network traffic between endpoints. In someembodiments, the application encrypts the sub-packets prior totransmission.

The destination network gateway 1124 may also run an application, andthe destination network gateway 1124 application can receive thesub-packets transmitted over the different network paths. Once received,the destination network gateway 1124 application can decrypt thesub-packets and/or reassemble the sub-packets into the original datapacket(s). Thus, the destination network gateway 1124 now possesses thedata packet(s) that the source network gateway 1124 intended totransmit. To transmit data from a remote system (e.g., a node 110A-N) tothe entity's place of operation and/or the data center, the destinationnetwork gateway 1124 can perform the operations of the source networkgateway 1124, and vice-versa.

By splitting the data packet(s) into sub-packets and then transmittingthe sub-packets over different network paths, the negative consequencesof man-in-the-middle attacks can be mitigated. For example, if the datapacket(s) were transmitted over the same network path, if a maliciousactor or device was present in the network path, the malicious actor ordevice could obtain all of the information transmitted by the sourcenetwork gateway. However, now that only a portion of the data packet(s)is transmitted over any one network path, even if a malicious actor ordevice was present in one of the network paths, the malicious actor ordevice would not be able to obtain all of the information beingtransmitted by the source network gateway 1124. Rather, the maliciousactor or device would only be able to obtain a portion of thetransmitted information, and such information may be unusable if thedata packet(s) are split in a manner such that the information is onlyusable if the sub-packets are combined.

As mentioned above and as illustrated in FIG. 11B, a node 110A-N caninclude a network gateway, such as network gateway 1134. For example,the switch 212 may include a network gateway 1134 and/or the SIEM 201may include a network gateway 1134. Each node 110A-N may include thenetwork gateway 1134 such that data can be transmitted to and/or from anentity's place of operation and/or the data center in a more securemanner than is possible with current virtualized private network (VPN)and/or other tunneling technologies. For example, VPN applicationsgenerally transmit data over a single network path, which can beproblematic for the reasons discussed above. Each node 110A-N mayfurther include a cross-domain guard device 1132 positioned logicallybetween the network gateway 1134 and the storage servers 208 such thatdata associated with one security domain level is not transmitted to asystem with a lower security domain level.

In a simple use case, a user may wish to transmit data from the entity'splace of operation and/or the data center to a node 110A-N so that thedata can be processed by a node 110A-N, and then to have the processeddata transmitted back to the entity's place of operation and/or the datacenter for storage. Thus, the user may use a user device (e.g., acomputing device, such as a laptop, desktop, tablet, etc. or anyelectronic device 211) to instruct a server 1110 storing data totransmit the data to a node 110A-N. In response, the server 1110 maytransmit the data (e.g., as one or more data packets) to thecross-domain guard device 1122 present in the entity's place ofoperation and/or the data center. The cross-domain guard device 1122 cananalyze the data packet(s) to determine whether the content in the datapackets can be transmitted to a node 110A-N (e.g., by processing thecontent using one or more rules, taking into account the security domainlevel of the internal network of the entity's place of operation and/orthe data center at which the data is initially stored and the securitydomain level of the node 110A-N).

If the cross-domain guard device 1122 allows the data packet(s) to pass,the source network gateway 1124 receives the data packet(s). The sourcenetwork gateway 1124 can then split the data packet(s) into one or moresub-packets, and transmit each sub-packet to the destination networkgateway 1134 in the node 110A-N over a different network path via thepublic network 210 and/or the cellular network 220.

The destination network gateway 1134 can reassemble the sub-packets toform a reassembled version of the original data packet(s). Oncereassembled, the destination network gateway 1134 can forward thereassembled version of the original data packet(s) to, for example, theprocessing servers 206 such that the data can be processed. Optionally,the destination network gateway can forward the reassembled version ofthe original data packet(s) to a destination cross-domain guard device1132, and the cross-domain guard device 1132 can inspect the content ofthe data packet(s) to ensure that such data can pass through to othercomponents in the node 110A-N, such as the processing servers 206. Thedestination cross-domain guard device 1132 can then forward thereassembled version of the original data packet(s) to the processingservers 206 if the data is allowed to pass. The processing servers 206can then transmit the processed data back to the destination networkgateway (e.g., as one or more data packets with processed data), and theprocess described above can be repeated in reverse.

In some embodiments, as illustrated in FIG. 11C, one node 110A-N may beredundant of another node 110A-N (e.g., to ensure data is backed up).Thus, a first node 110A-N (e.g., node 110A) may forward the reassembledversion of the original data packet(s) to the redundant node 110A-N(e.g., node 110B). To perform this action, the first node 110A-N cantransmit the reassembled version of the original data packet(s) to theredundant node 110A-N via the private network 101 (e.g., not over thepublic network 210 and/or the cellular network 220, which couldcompromise the data packet(s)).

Alternatively or in addition, as illustrated in FIG. 11D, the first node110A-N can transmit the reassembled version of the original datapacket(s) to the redundant node 110A-N via the network gateway 1134 andvia the private network 101 or the public network 210/cellular network220. For example, the network gateway 1134 of the first node 110A-N cansplit the data packet(s) into one or more sub-packets and transmit eachsub-packet over a different network path to the redundant node 110A-N.

If using the private network 101, each network path may actually passthrough another node 110A-N, where the network gateway 1134 of the othernode 110A-N acts as a “deflect.” As an example illustrated in FIG. 11E,if the first node 110A-N is node 110A and the redundant node is node110B, the network gateway 1134 of node 110A may transmit a firstsub-packet to the node 110B through the private network 101 and via thenetwork gateway of node 110C. The network gateway 1134 of node 110A mayalso transmit a second sub-packet to the node 110B through the privatenetwork 101 and via the network gateway of node 110D. Thus, thecommunications between nodes 110A-N are more secure because (1) thetransmissions occur over the private network 101, which is notaccessible via the public network 210 and/or the cellular network 220;(2) the nodes 110A-N are known entities and fully controllable by thenode 110A-N operator; and (3) different portions of data packet(s) aretransmitted to different nodes 110A-N before reaching the destinationnode 110A-N such that even if one node 110A-N is compromised, all of thetransmitted data is not necessarily compromised.

Using node 110A-N network gateways as “deflects” can also be extended tosituations in which data is being communicated between an on-premiselocation and a node 110A-N. In an advanced use case, a user may wish totransmit data from the entity's place of operation and/or the datacenter to node 110A so that the data can be processed by node 110A, andthen to have the processed data transmitted back to the entity's placeof operation and/or the data center for storage. Thus, the user may usea user device (e.g., a computing device, such as a laptop, desktop,tablet, etc. or any electronic device 211) to instruct a server 1110storing data to transmit the data to node 110A. In response, the server1110 may transmit the data (e.g., as one or more data packets) to thecross-domain guard device 1122 present in the entity's place ofoperation and/or the data center. The cross-domain guard device 1122 cananalyze the data packet(s) to determine whether the content in the datapackets can be transmitted to node 110A (e.g., by processing the contentusing one or more rules, taking into account the security domain levelof the internal network of the entity's place of operation and/or thedata center at which the data is initially stored and the securitydomain level of the node 110A).

If the cross-domain guard device 1122 allows the data packet(s) to pass,the source network gateway 1124 receives the data packet(s). The sourcenetwork gateway 1124 can then split the data packet(s) into one or moresub-packets. The node 110A, however, may not be the closest node 110A-Nto the entity's place of operation and/or the data center. Rather, node110B may be at a geographic location that is closer to the entity'splace of operation and/or the data center than the node 110A.Transmitting data to the node 110B rather than the node 110A may bebeneficial because it can reduce the number of devices in the networkpaths between the on-premise location and the nodes 110A-N that canpotentially maliciously capture the data, and because the data transferrate might be faster when transmitting to the node 110B than to the node110A. In fact, transmitting data from the on-premise location to thenode 110B, and then from the node 110B to the node 110A may be fasterthan transmitting data from the on-premise location to the node 110Bbecause the private network 101 may be optimized to transfer data at afaster rate than is possible via the public network 210 and/or thecellular network 220. Thus, the source network gateway 1124 may transmiteach sub-packet to the node 110B network gateway 1134 over a differentnetwork path via the public network 210 and/or the cellular network 220.

The node 110B network gateway 1134 can reassemble the sub-packets toform a reassembled version of the original data packet(s). Oncereassembled, the node 110B network gateway 1134 can split thereassembled data packet(s) into sub-packets, and transmit eachsub-packet to the node 110A through the private network 101 viadifferent network paths. In particular, the other nodes 110C-N can actas “deflects” such that one network path may pass through the node 110Cnetwork gateway, another network path may pass through the node 110Dnetwork gateway, and so on. Once all sub-packets are received, the node110A network gateway 1134 can reassembled the sub-packets into theoriginal data packet(s), and can forward the reassembled original datapacket(s) to the processing servers 206 of the node 110A (optionally viathe cross-domain guard device 1132 of the node 110A). The processingservers 206 can then process the data and transmit the processed databack to the node 110A network gateway 1134 (e.g., as one or more datapackets with processed data). The node 110A network gateway 1134 canthen transmit split portions of the data packet(s) to the node 110Bnetwork gateway 1134 via different network paths through the privatenetwork 101. The node 110B network gateway 1134 can then reassemble thesub-packets into the original data packet(s), split the original datapacket(s) into sub-packets, and transmit each sub-packet to theon-premise location via a different network path through the publicnetwork 210 and/or the cellular network 220. In some embodiments, thenode 110B does not reassemble the sub-packets into the original datapacket(s). Rather, the node 110B simply transmits each receivedsub-packet to the on-premise location via a different network paththrough the public network 210 and/or the cellular network 220.

FIG. 12 is a block diagram of a second “on-premise to cloud” environment1200 in which data managed by an entity (e.g., an individual, a company,a business, etc.) and stored locally at the entity's place of operation(e.g., in one or more servers 1110 located at the place of operation)and/or stored at a location accessible by the entity (e.g., in one ormore servers 1110 at a data center) can be securely transmitted to anode 110A-N via the public network 210, the cellular network 220, and/orthe private network 101. The second “on-premise to cloud” environment1200 is similar to the first “on-premise to cloud” environment 1100described with respect to FIGS. 11A-11E, except that a cross-domainguard device 1122 is not present at the on-premise location nor at thenodes 110A-N and the operations described with respect to thecross-domain guard device 1122 are skipped. Thus, the server(s) 1110 mayprovide data directly to and/or receive data directly from the networkgateway 1124, and the network gateways 1134 in the nodes 110A-N mayprovide data directly to and/or receive data directly from theprocessing server(s) 206 and/or other servers present in the nodes110A-N.

FIG. 13 illustrates a diagram detailing the nodes 110A-D each having anetwork gateway 1134A-D (e.g., DVN) that allows each node 110A-D tooperate as a “deflect,” if necessary. For example, the network gateway1134A of node 110A can receive disassembled original data packet(s) fromthe network gateway 1124 on-premise. The network gateway 1134A canreassemble the original data packet(s) and transmit the reassembledoriginal data packet(s) to node 110C (or node 110B or node 110D) vianodes 110B and/or 110D (or node(s) 110C-D or node(s) 110B-C).

FIG. 14 illustrates a diagram detailing two systems 1402 and 1404 havingdifferent security domain levels (where the system 1404 identified as“SCIF” has the higher security domain level and the system 1402identified as “Moderate” has the lower security domain level), withcross-domain guard devices 1124A-B present to control the flow of databetween the different security domain levels. For example, thecross-domain guard device 1124B may prevent certain data from beingtransmitted from the system 1404 to the system 1402 given that thesystem 1404 has the higher security domain level.

FIG. 15 illustrates a block diagram detailing an embodiment in whichdata can be communicated between a node 110A-N and a third-party cloudsystem provider 1510 via a direct network backbone connection (e.g., viachannel connectivity (ON-Net)) instead of via the public network 210and/or the cellular network 220. This functionality is referred to as“cloud-to-cloud.” For example, data can be communicated between a node110A-N and a cloud system provider 1510 via the network gateway 1134 ofthe node 110A-N.

Thus, each node 110A-N can include a network gateway 1134 (e.g., DVN)that allows the respective node 110A-N to operate as a “deflect.” Inaddition, each node 110A-N can have a direct network backbone connectionto a third party cloud system provider 1510.

FIG. 16 is a block diagram of another “on-premise to cloud” environment1600 in which data managed by an electronic device 211 can be securelytransmitted through an edge system 1620 to a node 110A-N via the publicnetwork 210, the cellular network 220, and/or the private network 101.For example, an edge system 1620 may include a network gateway 1624 andmay be associated with a particular geographic region. An electronicdevice 211 may transmit data to the edge system 1620 located nearest tothe electronic device 211 (e.g., the edge system 1620 located in thesame or similar geographic region as the electronic device 211) via thepublic network 210 and/or the cellular network 220.

An edge system 1620 may include hardware (e.g., one or more processors,memory, input/output interfaces, a network gateway, etc.) that allow theedge system 1620 to perform data processing. Such processing can includeprocessing electronic device 211 data, transmitting electronic device211 data to another entity, processing data received from a node 110A-N,transmitting data received from a node 110A-N to an electronic device211 (e.g., policies to implement), etc.

The network gateway 1624 of an edge system 1620 may be a source networkgateway, such as a source network gateway 1124 described above. The edgesystem 1620 (e.g., the source network gateway 1624) can establish asecure connection with a destination network gateway 1134 (e.g., anetwork gateway 1134 operating in a node 110A-N) in a manner asdescribed above to transmit the electronic device 211 data securely to anode 110A-N.

Once the electronic device 211 data is received by a node 110A-N, thedata can be routed to another node 110A-N in a manner as describedherein. Thus, an electronic device 211 can transmit data to an edgesystem 1620 nearest to the electronic device 211, and the data can thenbe routed securely to any node 110A-N, including a node 110A-N that isassociated with a geographic region that is different than a geographicregion with which the electronic device 211 is associated.

FIG. 17 is a block diagram of a network gateway 1124, according to oneembodiment. As illustrated in FIG. 17, the network gateway includes anaccess point 1712, a processing unit 1714, and a controller 1716.

The access point 1712 can be a wired or wireless access point 1712 thatallows user devices, such as electronic devices 211, to connect to thenetwork gateway 1124. The access point 1712 can perform anauthentication operation before allowing a user device to access anon-premise network, the nodes 110A-N, and/or remote applications (e.g.,cloud applications) associated with the entity operating the on-premisenetwork. For example, the access point 1712 can store a list of mediaaccess control (MAC) addresses. When a user device attempts to connectto the access point 1712, the access point 1712 can request the userdevice's MAC address and compare the user device's MAC address to thestored MAC address list. If the user device's MAC address is present onthe stored MAC address list, the access point 1712 may successfullyauthenticate the user device and allow the user device to access theon-premise network, the nodes 110A-N, and/or the remote applications.

The access point 1712 can alternatively or in addition perform otherauthentication operations to determine whether the user device should begranted access to the on-premise network, the nodes 110A-N, and/or theremote applications. For example, the access point 1712 can performheuristics to determine whether a user device should be authenticatedeven if the MAC address of the user device is present on the stored MACaddress list. For example, if a user device attempts to access thenetwork gateway 1124 from a first location, and then a few minutes laterattempts to access the network gateway 1124 from a second location thatcould not be reached from the first location within a few minutes, thismay indicate that some malicious activity is taking place, and theaccess point 1712 can deny the access request.

If a user device is granted access to the network gateway 1124 via theaccess point 1712, the user device can access the server(s) 1110 via thecontroller 1716, the processing unit 1714, and an on-premise switch 1718present external to the network gateway 1124. The user device can alsoaccess a node 110 or a remote application via the controller 1716 andthe public network 210.

Alternatively or in addition, a user device can gain access the networkgateway 1124 via the public network 210. For example, the user devicecan attempt to access a network address (e.g., an Internet protocol (IP)address) corresponding to the network gateway 1124. The controller 1716may receive the access request and redirect the user device to theaccess point 1712. The access point 1712 may then perform theauthentication described herein. If the user device can beauthenticated, the access point 1712 can inform the controller 1716 thataccess is granted, and the controller 1716 can allow the user device toaccess the on-premise network, a node 110A-N, and/or a remoteapplication.

The processing unit 1714 can include one or more central processingunits (CPUs), one or more graphical processing units (GPUs), memory,hardware adapters, and/or other hardware components. In a “standard”implementation, the processing unit 1714 can provide security services,such as encryption services, so that data can be securely transmittedover the public network 210. For example, data received from a server1110 via the on-premise switch 1118 or from a user device can beencrypted by the processing unit 1714. Once encrypted, the processingunit 1714 can transmit the encrypted data to a remote application, anode 110A-N, or another computing device via the controller 1716 and thepublic network 210.

In a “cloud-ready” implementation, the processing unit 1714 can runremote applications (e.g., cloud applications) locally. For example, inthis implantation, the processing unit 1714 may include additional CPUs,memory, etc. so that the remote applications can be run successfullylocally. Thus, a user device may not need to access a remote applicationvia a public network 210 in order to obtain a desired service, toprocess data, and/or the like. Rather, the user device can obtain thebenefits of a remote application without having to transfer data overthe public network 210 (in embodiments in which the user device accessesthe network gateway 1124 directly via the access point 1712). In otherwords, the processing unit 1714 can implement a cloud environment suchthat a user device can access the cloud environment on-premise. In someembodiments, the processing unit 1714 can serve as a backup for remoteapplications accessible via the public network 210, or the remoteapplications accessible via the public network 210 can serve as a backupfor the processing unit 1714. Thus, similar data may be stored on theprocessing unit 1714 and in remote servers running the remoteapplications.

In a “media and analytics” implementation, the processing unit 1714 canprocess data received from the server(s) 1110, the node(s) 110A-N, theremote application(s), and/or a user device. Because the amount of datato process may be large, the processing unit 1714 may include one ormore GPUs, which may be used to perform the data processing instead ofor in addition to the CPU(s).

In both the “cloud-ready” implementation and the “media and analytics”implementations, the processing unit 1714 can provide the securityservices described herein.

In some embodiments, the processing unit 1714 can operate in anon-cooling environment. Thus, the processing unit 1714 may not includecooling components, such as fans, liquid coolers, air coolers, etc.

The controller 1716 may serve as an interface between the networkgateway 1124 and the public network 210. In some embodiments, thecontroller 1716 may be the session controller described above.

As described herein, the network gateway 1124 and the network gateway1134 may provide similar functionality. Thus, the network gateway 1134may include similar hardware components as the network gateway 1124.

FIG. 18 illustrates a process 1800 that may be implemented by a networkgateway 1124 and/or a cross-domain guard device 1122 to transmit dataover a public network. The process 1800 begins at block 1802.

At block 1802, a determination is made that a first data packet can betransmitted from one security domain to another. For example, the firstdata packet may be present in a first security domain, and thedetermination may be made that the first data packet can be transmittedto a second security domain based on an analysis of a content of thefirst data packet.

At block 1804, the first data packet is split into two separate,non-identical packets. In further embodiments, the first data packet canbe split into 3, 4, 5, etc. separate, non-identical packets.

At block 1806, the first split packet is transmitted over a first paththrough a network. The first split packet can be transmitted over thefirst path to another network gateway.

At block 1808, the second split packet is transmitted over a second pathdifferent than the first path through the network. The second splitpacket can be transmitted over the second path to the same networkgateway as the first split packet. The other network gateway can thencreate a reassembled version of the first data packet using the firstand second split packets.

Terminology

All of the methods and tasks described herein may be performed and fullyautomated by a computer system. The computer system may, in some cases,include multiple distinct computers or computing devices (e.g., physicalservers, workstations, storage arrays, cloud computing resources, etc.)that communicate and interoperate over a network to perform thedescribed functions. Each such computing device typically includes aprocessor (or multiple processors) that executes program instructions ormodules stored in a memory or other non-transitory computer-readablestorage medium or device (e.g., solid state storage devices, diskdrives, etc.). The various functions disclosed herein may be embodied insuch program instructions, and/or may be implemented inapplication-specific circuitry (e.g., ASICs or FPGAs) of the computersystem. Where the computer system includes multiple computing devices,these devices may, but need not, be co-located. The results of thedisclosed methods and tasks may be persistently stored by transformingphysical storage devices, such as solid state memory chips and/ormagnetic disks, into a different state. In some embodiments, thecomputer system may be a cloud-based computing system whose processingresources are shared by multiple distinct business entities or otherusers.

Depending on the embodiment, certain acts, events, or functions of anyof the processes or algorithms described herein can be performed in adifferent sequence, can be added, merged, or left out altogether (e.g.,not all described operations or events are necessary for the practice ofthe algorithm). Moreover, in certain embodiments, operations or eventscan be performed concurrently, e.g., through multi-threaded processing,interrupt processing, or multiple processors or processor cores or onother parallel architectures, rather than sequentially.

The various illustrative logical blocks, modules, routines, andalgorithm steps described in connection with the embodiments disclosedherein can be implemented as electronic hardware (e.g., ASICs or FPGAdevices), computer software that runs on general purpose computerhardware, or combinations of both. To clearly illustrate thisinterchangeability of hardware and software, various illustrativecomponents, blocks, modules, and steps have been described abovegenerally in terms of their functionality. Whether such functionality isimplemented as specialized hardware versus software running ongeneral-purpose hardware depends upon the particular application anddesign constraints imposed on the overall system. The describedfunctionality can be implemented in varying ways for each particularapplication, but such implementation decisions should not be interpretedas causing a departure from the scope of the disclosure.

Moreover, the various illustrative logical blocks and modules describedin connection with the embodiments disclosed herein can be implementedor performed by a machine, such as a general purpose processor device, adigital signal processor (DSP), an application specific integratedcircuit (ASIC), a field programmable gate array (FPGA) or otherprogrammable logic device, discrete gate or transistor logic, discretehardware components, or any combination thereof designed to perform thefunctions described herein. A general purpose processor device can be amicroprocessor, but in the alternative, the processor device can be acontroller, microcontroller, or state machine, combinations of the same,or the like. A processor device can include electrical circuitryconfigured to process computer-executable instructions. In anotherembodiment, a processor device includes an FPGA or other programmabledevice that performs logic operations without processingcomputer-executable instructions. A processor device can also beimplemented as a combination of computing devices, e.g., a combinationof a DSP and a microprocessor, a plurality of microprocessors, one ormore microprocessors in conjunction with a DSP core, or any other suchconfiguration. Although described herein primarily with respect todigital technology, a processor device may also include primarily analogcomponents. For example, some or all of the rendering techniquesdescribed herein may be implemented in analog circuitry or mixed analogand digital circuitry. A computing environment can include any type ofcomputer system, including, but not limited to, a computer system basedon a microprocessor, a mainframe computer, a digital signal processor, aportable computing device, a device controller, or a computationalengine within an appliance, to name a few.

The elements of a method, process, routine, or algorithm described inconnection with the embodiments disclosed herein can be embodieddirectly in hardware, in a software module executed by a processordevice, or in a combination of the two. A software module can reside inRAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory,registers, hard disk, a removable disk, a CD-ROM, or any other form of anon-transitory computer-readable storage medium. An exemplary storagemedium can be coupled to the processor device such that the processordevice can read information from, and write information to, the storagemedium. In the alternative, the storage medium can be integral to theprocessor device. The processor device and the storage medium can residein an ASIC. The ASIC can reside in a user terminal. In the alternative,the processor device and the storage medium can reside as discretecomponents in a user terminal.

Conditional language used herein, such as, among others, “can,” “could,”“might,” “may,” “e.g.,” and the like, unless specifically statedotherwise, or otherwise understood within the context as used, isgenerally intended to convey that certain embodiments include, whileother embodiments do not include, certain features, elements and/orsteps. Thus, such conditional language is not generally intended toimply that features, elements and/or steps are in any way required forone or more embodiments or that one or more embodiments necessarilyinclude logic for deciding, with or without other input or prompting,whether these features, elements and/or steps are included or are to beperformed in any particular embodiment. The terms “comprising,”“including,” “having,” and the like are synonymous and are usedinclusively, in an open-ended fashion, and do not exclude additionalelements, features, acts, operations, and so forth. Also, the term “or”is used in its inclusive sense (and not in its exclusive sense) so thatwhen used, for example, to connect a list of elements, the term “or”means one, some, or all of the elements in the list.

Disjunctive language such as the phrase “at least one of X, Y, Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to present that an item, term, etc., may beeither X, Y, or Z, or any combination thereof (e.g., X, Y, and/or Z).Thus, such disjunctive language is not generally intended to, and shouldnot, imply that certain embodiments require at least one of X, at leastone of Y, or at least one of Z to each be present.

While the above detailed description has shown, described, and pointedout novel features as applied to various embodiments, it can beunderstood that various omissions, substitutions, and changes in theform and details of the devices or algorithms illustrated can be madewithout departing from the spirit of the disclosure. As can berecognized, certain embodiments described herein can be embodied withina form that does not provide all of the features and benefits set forthherein, as some features can be used or practiced separately fromothers. The scope of certain embodiments disclosed herein is indicatedby the appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

What is claimed is:
 1. A system for securely communicating data, thesystem comprising: a computing system comprising one or more computingdevices, the computing system configured to operate as a cross-domainguard, the computing system located in a data center that has aninternal network with a first security domain, the computing systemconfigured with computer-executable instructions that, when executed,cause the computing system to: determine that a first data packet can betransmitted from the first security domain to a second security domainbased on an analysis of content of the first data packet; and preventtransmission of a second data packet from the first security domain tothe second security domain based on an analysis of content of the seconddata packet; a source network gateway in communication with thecomputing system and located in the data center, the source networkgateway comprising a hardware processor, the source network gatewayconfigured with second computer-executable instructions that, whenexecuted, cause the source network gateway to obtain and split the firstdata packet into a third data packet and a fourth data packet that isnot a duplicate of the third data packet; and a remote system located ata location remote from the data center, the remote system having asecond internal network with the second security domain, the remotesystem further comprising a remote network gateway, wherein the remotenetwork gateway is configured with third computer-executableinstructions that, when executed, cause the remote network gateway to:obtain the third data packet from the source network gateway via a firstpath through the network; obtain the fourth data packet from the sourcenetwork gateway via a second path through the network; and assemble thethird data packet and the fourth data packet to form a reassembledversion of the first data packet.